DNSSEC submit of DLV vs DNSKEY records?
torinthiel at data.pl
Thu May 5 21:40:27 UTC 2011
On 05/05/11 22:47, dchilton+bind at bestmail.us wrote:
> "missed it by THAT much ...". thx! relocating to bind-users.
> On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <rob0 at gmx.co.uk> wrote:
>> FWIW I think you hit the wrong list. Did you mean bind-users at isc?
>> On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+bind at bestmail.us
>>> after signing my zones with 'dnssec-signzone', i 've got both
>>> containing DS- and DLV-records, respectively.
>>> i know i *can* submit the records to my registrar (DS records)
>>> and dlv.isc.org (DLV records), but should I do both?
>>> i'm not clear if these are redundant mechs for getting to a
>>> 'valid' DNSSEC state, or complementary.
>>> can anyone clarify -- both or just one? and if just one, which
>> [I hope someone will correct me if I'm wrong.]
>> My understanding: if the parent is signed, that is the only way a
>> child zone can be validated, unless of course using trusted-keys.
>> DLV is only done when the parent is unsigned.
DLV can be done anyway, but having a signed parent is better.
Consider this situation: you have signed parent, but not a chain to root
(i.e. an island of trust). This makes your zone unvalidabe to anyone
that doesn't trust that island. now, if you have a DLV record, than
anyone trusting it can also validate your zone. If, OTOH, one trusts
parent, then why should he bother checking DLV?
Having a signed parent won't stop anyone from lookng at DLV (signed !=
Anyway, .com is now signed and if you can put DS in .com than putting it
in DLV as well is overkill.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the bind-users