DNSSEC domain and sub-domains

Tony Finch dot at dotat.at
Thu Apr 24 16:01:30 UTC 2014

rod at iastate.edu <rod at iastate.edu> wrote:

> If we implement DNSSEC for iastate.edu, admin.iastate.edu and
> its.iastate.edu, must DNSSEC be implemented for the delegated zones as
> well?

No, in exactly the same way that signing .edu does not mean iastate.edu
has to be signed. If there are no DS records at the delegation point for
cs.iastate.edu that means that cs.iastate.edu is insecure.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
South Biscay: Easterly 4 or 5, veering westerly 5 to 7. Rough. Rain or
showers. Good, occasionally poor.

More information about the bind-users mailing list