DNSSEC submit of DLV vs DNSKEY records?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon May 9 06:58:52 UTC 2011


On Fri, May 06, 2011 at 12:45:17PM +1000,
 Mark Andrews <marka at isc.org> wrote 
 a message of 52 lines which said:

> Once the parent zone is signed and is accepting DS/DNSKEY records 

"is accepting" is not sufficient. Many TLD are managed in a strict
registry/registrar fashion which means that it is not enough for the
registry to accept DS records, the registrar have to do it, too.

Two real-world examples: 

* .FR accepts DS records but, today, all the records come from one
registrar. The others are not ready yet.

* I cannot sign my domains (such as bortzmeyer.org), although there are
in signed TLDs, since my registrar is still not DNSSEC-ready (and it
would be ridiculous to switch to another registrar just for DNSSEC:
this technique is not important enough to make me forget the other
criteria for choosing a registrar).

So, DLV at ISC is still very useful and will be for a long time.





More information about the bind-users mailing list