DNSSEC and forward zones

Phil Mayers p.mayers at imperial.ac.uk
Tue Nov 1 20:02:31 UTC 2011


On 11/01/2011 06:34 PM, Scott Morizot wrote:

> Alternatively, you can sign 'policydomain.internal' and configure its key
> as one of the trust anchors on the validating name servers. The order of
> validation is, if I recall correctly, locally configured trust anchors,
> then chain of trust from root, and finally DLVs. So doing that should
> provide a successful validation for the domain.

So presumably you could also follow Lyle's suggestion - have a local 
"private" zone, signed, with a local trust anchor and an *in*secure 
delegation to "policydomain.internal"?



More information about the bind-users mailing list