On Mon, Aug 28, 2017 at 12:25 PM, Niall O'Reilly <niall.orei...@ucd.ie> wrote: > On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: > >> My apologies if this question has an easily discoverable answer but my >> google-fu seems to be failing me today. > > > Try "insecure delegation" against your favourite search engine. > Here's an example of what searching for this gave me (from DuckDuckGo > rather than Google): > > https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns > >> If a domain is signed, is it possible to delegate a subdomain to a 3rd >> party who is unable to sign that subdomain? > > > Yes. You need NS records as has always been the case. By simply not > adding a DS > record, you signal an insecure delegation.
Yup, exactly -- take .com as an example -- it is a signed zone, but there are a large number of unsigned subdomains in it. W > > You may have problems if the two sets of name servers (for parent and > child zones) > overlap. > > Best regards, > Niall O'Reilly > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
