On 05/05/11 22:47, dchilton+b...@bestmail.us wrote: > "missed it by THAT much ...". thx! relocating to bind-users. > > On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <r...@gmx.co.uk> wrote: >> FWIW I think you hit the wrong list. Did you mean bind-users@isc? > > >> On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+b...@bestmail.us >> wrote: >>> after signing my zones with 'dnssec-signzone', i 've got both >>> >>> dsset-domain.com >>> dlvset-domain.com >>> >>> containing DS- and DLV-records, respectively. >>> >>> i know i *can* submit the records to my registrar (DS records) >>> and dlv.isc.org (DLV records), but should I do both? >>> >>> i'm not clear if these are redundant mechs for getting to a >>> 'valid' DNSSEC state, or complementary. >>> >>> can anyone clarify -- both or just one? and if just one, which >>> one? >> >> [I hope someone will correct me if I'm wrong.] >> >> My understanding: if the parent is signed, that is the only way a >> child zone can be validated, unless of course using trusted-keys. >> DLV is only done when the parent is unsigned.
DLV can be done anyway, but having a signed parent is better. Consider this situation: you have signed parent, but not a chain to root (i.e. an island of trust). This makes your zone unvalidabe to anyone that doesn't trust that island. now, if you have a DLV record, than anyone trusting it can also validate your zone. If, OTOH, one trusts parent, then why should he bother checking DLV? Having a signed parent won't stop anyone from lookng at DLV (signed != trusted). Anyway, .com is now signed and if you can put DS in .com than putting it in DLV as well is overkill. Torinthiel
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
