Subdomain DNSSEC

Michael Dahlberg olgamirth at gmail.com
Mon Aug 28 16:06:23 UTC 2017


My apologies if this question has an easily discoverable answer but my
google-fu seems to be failing me today.

 If a domain is signed, is it possible to delegate a subdomain to a 3rd
party who is unable to sign that subdomain?  For example, I own example.com
and its signed.  I'd like to delegate subdomain.example.com to a 3rd party
that uses Amazon Route53 and therefore can't sign subdomain.example.com.
My understanding, and this may be incorrect, is that if a client's resolver
verifies signatures, then any resolution of subdomain.example.com would
result in an error because there would not be a valid signature for each
node in subdomain.example.com.  As I said, I may be incorrect here.

Thanks for any and all comments.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170828/9ca79ba8/attachment.html>


More information about the bind-users mailing list