problem registering DS records with EDUCAUSE, sanity check please
Paul B. Henson
henson at acm.org
Tue Jul 15 20:02:13 UTC 2014
> From: Stephane Bortzmeyer
> Sent: Tuesday, July 15, 2014 12:43 AM
>
> You can also note that it is quite common to publish DS without any
> matching KSK. It is even documented in RFC 6781, section 4.2.4. For an
> actual example, see .UK <http://dnsviz.net/d/uk/dnssec/> (the yellow
> path).
Interesting, my understanding was that if there was a dangling DS record in
the parent that did not match a published DNSKEY in the child a validating
client might consider the zone bogus and refuse to resolve it.
More information about the bind-users
mailing list