On Fri, May 21, 2010 at 09:54:01AM +0300,
Techi <te...@tellas.gr> wrote
a message of 46 lines which said:
> I have a Centos 5.x with Bind 9.3.6-4.
That's an extremely old version. Even Debian :-) has a more recent
one. For instance, you won't be able to validate the root (which uses
SHA256) or .ORG (which uses NSEC3).
> dnssec-enable yes;
> dnssec-validation yes;
> ****************************
> Is that correct?
You also need to configure trust anchors:
trusted-keys {
# Not yet published
. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lL...";
and/or:
dnssec-lookaside . trust-anchor dlv.isc.org.;
> If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And
> how?
As far as I know, IANA and RIPE do not manage a DLV. For ISC, see the
line above.
> So, the specific server is DNSSEC aware and I will not face any
> issues with the root zones signing at 01/07/2010. Correct?
The root is already completely signed for one week (the key is not yet
published). You do not need to enable DNSSEC to work with the signed
root, it is a separate issue.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
