On Jun 23 2011, Fredrik Ljunggren wrote:
A KSK is a DNSKEY with the SEP bit set. And for validation to work with a single key, that key has to have the SEP bit set.
Shome mishtake, shurely? There are zones around that have only one DNSKEY, without the SEP bit, and they validate just fine. To take two examples at random: "nu" and "co.uk". "nu" had its 15 minutes of fame when it failed to get included in dlv.isc.org when ISC were importing the ITAR, just because the SEP bit was missing. I seem to recall that ISC had to make special arrangements to fix that. "co.uk", and the other sub-zones of "uk" managed by Nominet, are more recent examples. -- Chris Thompson University of Cambridge Computing Service, Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
