On Fri, 06 May 2011 12:45 +1000, "Mark Andrews" <ma...@isc.org> wrote: > > > [I hope someone will correct me if I'm wrong.] > > > > > > My understanding: if the parent is signed, that is the only way a > > > child zone can be validated, unless of course using trusted-keys. > > > DLV is only done when the parent is unsigned. > > > > > > Off to the registrar you go! > > Once the parent zone is signed and is accepting DS/DNSKEY records for > child zones there shouldn't be any need to add records to DLV. > > Named won't consult DLV unless there is a insecure delegation between > the configured trust anchors and the zone. That being said other > implementations might try DLV if validation fails on the normal > trust path. This is a implementation choice.
all clear, now. i did NOT get that from the docs + dlv site info. thanks! for now it's DS/DNSKEY for me (.com, .net & .org only). just did external verifies on my signed zones, and all's working. DCh _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
