> From: Robert Moskowitz <r...@htt-consult.com> > The Redhat docs on bind had a warning about not implementing features, > like DNSSEC if your secondaries doesn't support it. That is all I am > going on. I think I also saw it in some isc.org doc.
In your position, I'd publish the RRSIG and NSEC* records (i.e. sign the zone) and see what breaks. Maybe I'm ignorant and naive about DNSSEC (I'd like to hear about it), but I'd expect nothing bad to happen with the secondaries. And if they're running such incredibly ancient code that something breaks, then they probably have serious security issues unrelated to DNSSEC that should disqualify them as secondaries. You'll have to do something like that while you fight with Network Solutions to deal with your DS records or switch to another registrar. My recollections of past mailing list comments as well as https://www.google.com/search?q=network+solutions+dnssec https://www.networksolutions.com/search.jsp?searchTerm=dnssec https://www.icann.org/en/news/in-focus/dnssec/deployment suggest that effort will be interesting. Have you started it? At the end of a long saga to get DS RRs for the handful of my domains, Tucows/Opensrs said "Please try not ask us do that again soon." Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users