This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC: Signed zones list
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Donnerhacke
lutz at iks-jena.de
Mon Feb 27 11:13:28 CET 2006
* Max Tulyev wrote: > So as I can understand, to fully inplement DNSSEC on my named's I have to > get ALL keys for ALL signed zones and premanently trace all of them if it > is not expired, isn't it? Your are mostly right. You do not need (and should not care about) the key of chained zones, i.e. zone, that have a DS record in the signed parent zone. In those cases you only need the key of the topmost signed zone. In order to keep the maintaining effort as small as possible, several TLD offer a seperate DNS-server which hosts signed subzones. Such servers are available for *.fr, *.net and *.com. The *.se zone is signed using the standard DNS servers. Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones. It's up to you. Good luck.
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]