In message <1304628473.25384.1448737...@webmail.messagingengine.com>, dchilton+ b...@bestmail.us writes: > "missed it by THAT much ...". thx! relocating to bind-users. > > On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <r...@gmx.co.uk> wrote: > > FWIW I think you hit the wrong list. Did you mean bind-users@isc? > > > > On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+b...@bestmail.us > > wrote: > > > after signing my zones with 'dnssec-signzone', i 've got both > > > > > > dsset-domain.com > > > dlvset-domain.com > > > > > > containing DS- and DLV-records, respectively. > > > > > > i know i *can* submit the records to my registrar (DS records) > > > and dlv.isc.org (DLV records), but should I do both? > > > > > > i'm not clear if these are redundant mechs for getting to a > > > 'valid' DNSSEC state, or complementary. > > > > > > can anyone clarify -- both or just one? and if just one, which > > > one? > > > > [I hope someone will correct me if I'm wrong.] > > > > My understanding: if the parent is signed, that is the only way a > > child zone can be validated, unless of course using trusted-keys. > > DLV is only done when the parent is unsigned. > > > > Off to the registrar you go!
Once the parent zone is signed and is accepting DS/DNSKEY records for child zones there shouldn't be any need to add records to DLV. Named won't consult DLV unless there is a insecure delegation between the configured trust anchors and the zone. That being said other implementations might try DLV if validation fails on the normal trust path. This is a implementation choice. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
