Free secondary servers supporting DNSSEC?

Vernon Schryver vjs at rhyolite.com
Sun Feb 17 17:11:54 UTC 2013


> From: Robert Moskowitz <rgm at htt-consult.com>

> The Redhat docs on bind had a warning about not implementing features, 
> like DNSSEC if your secondaries doesn't support it.  That is all I am 
> going on.  I think I also saw it in some isc.org doc.

In your position, I'd publish the RRSIG and NSEC* records (i.e. sign
the zone) and see what breaks.  Maybe I'm ignorant and naive about
DNSSEC (I'd like to hear about it), but I'd expect nothing bad to
happen with the secondaries.  And if they're running such incredibly
ancient code that something breaks, then they probably have serious
security issues unrelated to DNSSEC that should disqualify them as
secondaries.

You'll have to do something like that while you fight with Network
Solutions to deal with your DS records or switch to another registrar.
My recollections of past mailing list comments as well as
https://www.google.com/search?q=network+solutions+dnssec
https://www.networksolutions.com/search.jsp?searchTerm=dnssec
https://www.icann.org/en/news/in-focus/dnssec/deployment
suggest that effort will be interesting.  Have you started it?

At the end of a long saga to get DS RRs for the handful of my domains,
Tucows/Opensrs said "Please try not ask us do that again soon."


Vernon Schryver    vjs at rhyolite.com



More information about the bind-users mailing list