DNSSEC submit of DLV vs DNSKEY records?

Chris Thompson cet1 at cam.ac.uk
Fri May 6 20:09:46 UTC 2011

On May 6 2011, Mark Andrews wrote:

>Once the parent zone is signed and is accepting DS/DNSKEY records for
>child zones there shouldn't be any need to add records to DLV.

Well, for some value of "should" ...

It might be that the parent, although signed and accepting DS records,
does not yet have a chain of trust back to the root, or via dlv.isc.org.

It might be that although it does, you don't trust the parent's
operational procedures enough to be sure that will continue to be
the case, as compared with your ability to maintain your own records
in dlv.isc.org.

It might be that you want nameservers with restricted support for
signing algorithms to be able to validate your zone. dlv.isc.org
only needs RSASHA1 + NSEC, back to the root needs at least RSASHA256
and often NSEC3 as well.

In fact, our main forward zone (cam.ac.uk) and main IPv4 reverse zone
(111.131.in-addr.arpa) do now have DNSSEC chains of trust all the way
from the root zone. But I haven't removed their entries from dlv.isc.org
yet, and in fact am still quite undecided as to when it will be
appropriate to do so.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list