> From: Robert Moskowitz <r...@htt-consult.com>

> The Redhat docs on bind had a warning about not implementing features, 
> like DNSSEC if your secondaries doesn't support it.  That is all I am 
> going on.  I think I also saw it in some isc.org doc.

In your position, I'd publish the RRSIG and NSEC* records (i.e. sign
the zone) and see what breaks.  Maybe I'm ignorant and naive about
DNSSEC (I'd like to hear about it), but I'd expect nothing bad to
happen with the secondaries.  And if they're running such incredibly
ancient code that something breaks, then they probably have serious
security issues unrelated to DNSSEC that should disqualify them as
secondaries.

You'll have to do something like that while you fight with Network
Solutions to deal with your DS records or switch to another registrar.
My recollections of past mailing list comments as well as
https://www.google.com/search?q=network+solutions+dnssec
https://www.networksolutions.com/search.jsp?searchTerm=dnssec
https://www.icann.org/en/news/in-focus/dnssec/deployment
suggest that effort will be interesting.  Have you started it?

At the end of a long saga to get DS RRs for the handful of my domains,
Tucows/Opensrs said "Please try not ask us do that again soon."


Vernon Schryver    v...@rhyolite.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to