DNSSEC submit of DLV vs DNSKEY records?

dchilton+bind at bestmail.us dchilton+bind at bestmail.us
Fri May 6 04:27:12 UTC 2011

On Fri, 06 May 2011 12:45 +1000, "Mark Andrews" <marka at isc.org> wrote:
> > > [I hope someone will correct me if I'm wrong.]
> > > 
> > > My understanding: if the parent is signed, that is the only way a 
> > > child zone can be validated, unless of course using trusted-keys. 
> > > DLV is only done when the parent is unsigned.
> > > 
> > > Off to the registrar you go!
> Once the parent zone is signed and is accepting DS/DNSKEY records for
> child zones there shouldn't be any need to add records to DLV.
> Named won't consult DLV unless there is a insecure delegation between
> the configured trust anchors and the zone.  That being said other
> implementations might try DLV if validation fails on the normal
> trust path.  This is a implementation choice.

all clear, now. i did NOT get that from the docs + dlv site info. 

for now it's DS/DNSKEY for me (.com, .net & .org only).  just did
external verifies on my signed zones, and all's working.


More information about the bind-users mailing list