DNSSEC and forward zones

Scott Morizot tmorizot at sd.is.irs.gov
Tue Nov 1 20:28:54 UTC 2011

On 1 Nov 2011 at 20:02, Phil Mayers wrote:

> On 11/01/2011 06:34 PM, Scott Morizot wrote:
> > Alternatively, you can sign 'policydomain.internal' and configure its key
> > as one of the trust anchors on the validating name servers. The order of
> > validation is, if I recall correctly, locally configured trust anchors,
> > then chain of trust from root, and finally DLVs. So doing that should
> > provide a successful validation for the domain.
> So presumably you could also follow Lyle's suggestion - have a local 
> "private" zone, signed, with a local trust anchor and an *in*secure 
> delegation to "policydomain.internal"?

Depends on what you have in place. The above would work, but if all you 
have that you're trying to forward to is policydomain.internal, just sign 
policydomain.internal and configure that key in your trust anchors. As I 
said, I believe local trust anchors are always checked before chain of 
trust is checked.


Scott Morizot

"In software development, optimism is a disease;
 feedback is the cure." -- Kent Beck

More information about the bind-users mailing list