Breaking trusted chain in dnssec

Tony Finch dot at
Wed Jul 13 14:30:47 UTC 2016

Georg Kahest <georg.kahest at> wrote:
> On 07/13/2016 03:16 PM, Mark Andrews wrote:
> >
> > You have a delegation without a DS record.
> Or have a DS record without actual dnskey/rrsig records in the
> delegated zone.

Be aware that these are very different things!

Mark's suggestion creates an insecure subdomain, i.e. one that works but
lacks DNSSEC.

Georg's suggestion creates a bogus subdomain, i.e. one that does not work.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
North Fitzroy, Sole: Northwesterly 4 or 5 at first in east, otherwise variable
3 or 4, then becoming southerly 5 or 6 later in west. Moderate, occasionally
slight later in east. Rain later in west. Good, occasionally moderate later in

More information about the bind-users mailing list