On 1 Nov 2011 at 20:02, Phil Mayers wrote: > On 11/01/2011 06:34 PM, Scott Morizot wrote: > > > Alternatively, you can sign 'policydomain.internal' and configure its key > > as one of the trust anchors on the validating name servers. The order of > > validation is, if I recall correctly, locally configured trust anchors, > > then chain of trust from root, and finally DLVs. So doing that should > > provide a successful validation for the domain. > > So presumably you could also follow Lyle's suggestion - have a local > "private" zone, signed, with a local trust anchor and an *in*secure > delegation to "policydomain.internal"?
Depends on what you have in place. The above would work, but if all you have that you're trying to forward to is policydomain.internal, just sign policydomain.internal and configure that key in your trust anchors. As I said, I believe local trust anchors are always checked before chain of trust is checked. Scott Scott Morizot "In software development, optimism is a disease; feedback is the cure." -- Kent Beck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
