On 11/1/2011 3:02 PM, Phil Mayers wrote:
On 11/01/2011 06:34 PM, Scott Morizot wrote:
Alternatively, you can sign 'policydomain.internal' and configure its key
as one of the trust anchors on the validating name servers. The order of
validation is, if I recall correctly, locally configured trust anchors,
then chain of trust from root, and finally DLVs. So doing that should
provide a successful validation for the domain.
So presumably you could also follow Lyle's suggestion - have a local
"private" zone, signed, with a local trust anchor and an *in*secure
delegation to "policydomain.internal"?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
I would suggest not signing the .internal zone as a private zone and you
will be done. Then there is no DNSSEC records to mess with at all.
Again, this has a disadvantage if they ever decide to make .internal a
real internet domain name and some people frown upon this practice. Be
sure you know what can go wrong.
Lyle Giese
LCR Computer Services, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
