This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joe Abley
jabley at strandkip.nl
Mon May 22 22:20:59 CEST 2023
Op ma 22 mei , Joe Abley <[jabley at strandkip.nl](mailto:Op ma 22 mei , Joe Abley <<a href=)> schreef: > Op ma 22 mei , Julian Fölsch <[julian.foelsch at agdsn.de](mailto:Op ma 22 mei , Julian Fölsch <<a href=)> schreef: > >> This however had the side effect that child zones that are not signed were no >> longer resolving so I thought "Lets just sign them. Can't be that hard, >> right?" > > Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong? Actually, here's a thought -- check that the zone cuts actually exist (that the parent has a delegating NS set, and that the child has apex SOA and NS sets). If your parent zone and child zones were hosted on the same servers, lack of zone cuts wouldn't matter if they were all unsigned (there's no referral to return, so the lack of a delegation goes unnoticed). However you need the delegation to be present if you want to signal that the child zone is unsigned. Just guessing, but I've seen this kind of thing before (and not just in enterprise zones). Joe > -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/dns-wg/attachments/20230522/4d285163/attachment.html>
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]