That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust
anchor, is there a sanity check similar to what you displayed below?
--- On Thu, 1/28/10, Evan Hunt <e...@isc.org> wrote:
> From: Evan Hunt <e...@isc.org>
> Subject: Re: DNSSEC DSSET & KEYSET
> To: "prock...@yahoo.com" <prock...@yahoo.com>
> Cc: "Florian Weimer" <fwei...@bfk.de>, bind-users@lists.isc.org
> Date: Thursday, January 28, 2010, 10:42 AM
>
> > Is there a tool/process to verify if the parenet
> domain has DSSET,
> > KEYSET, or keys in place for the child domain?
> Thanks.
>
> "dig ds <yourdomain>", and check that a) DS records
> are returned, and
> B) the first field of at least some of the DS records match
> the key ID of
> the key-signing key for your zone. For example,
> isc.org is using key 12892:
>
> $ dig +short ds isc.org
> 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> 12892 5 2
> F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D
> E18DA6B5
>
> ...so we're fine.
>
> And of course, you could also configure a validating
> resolver (or drill
> or dig +sigchase) with a trust anchor for the parent, and
> make sure the
> validation process works.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
