This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] DNSSEC: Signed zones list

Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
Next message (by thread): [dns-wg] DNSSEC: Signed zones list

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lutz Donnerhacke lutz at iks-jena.de
Mon Feb 27 11:13:28 CET 2006

* Max Tulyev wrote:
> So as I can understand, to fully inplement DNSSEC on my named's I have to
> get ALL keys for ALL signed zones and premanently trace all of them if it
> is not expired, isn't it?

Your are mostly right. You do not need (and should not care about) the key
of chained zones, i.e. zone, that have a DS record in the signed parent zone.
In those cases you only need the key of the topmost signed zone.

In order to keep the maintaining effort as small as possible, several TLD
offer a seperate DNS-server which hosts signed subzones. Such servers are
available for *.fr, *.net and *.com. The *.se zone is signed using the
standard DNS servers.

Another trick to delegate the maintaining work is to use a lookaside zone.
There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de.
A lookaside zone is used by your DNS server to determine a "DS" record for
an unknown zone. Consequently the lookaside zone does not contain records
for chained zones.

It's up to you. Good luck.

Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
Next message (by thread): [dns-wg] DNSSEC: Signed zones list

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]