alan at peak.org
Wed Apr 18 19:24:48 UTC 2012
On 4/18/12 12:18 PM, Spain, Dr. Jeffry A. wrote:
>> ;; WARNING There is no DS for the zone: .
>> Isn't the "DS for the zone: ." what the "managed-keys" clause provides?
> Now I think I see what you mean. It is my understanding that DS records exist in parent zones and refer to child zones that are to be trusted. Thus there is no DS record referring to the root zone, as it by definition has no parent. The root trust anchor provided by managed-keys or dnssec-validation serves the same purpose as this non-existent DS record. The warning above makes sense in this context. Jeff.
Right - although the trust anchor is provided, it's not actually a DS
record, so you still get the warning...
Now on to research key rotation management...
More information about the bind-users