In a DNSSEC compliant world (I know we're not there yet) we need to give a copy
of our DSSET and KEYSET to our parent domain. Please confirm that is an
accurate statement.
So my question is, is there a way through DIG (or some other utility) to
confirm that the parent domain has the DSSET and
* prock:
In a DNSSEC compliant world (I know we're not there yet) we need to
give a copy of our DSSET and KEYSET to our parent domain. Please
confirm that is an accurate statement.
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
Demanding DNSKEY RRs can prolong the life of
Is there a tool/process to verify if the parenet domain has DSSET, KEYSET, or
keys in place for the child domain? Thanks.
--- On Thu, 1/28/10, Florian Weimer fwei...@bfk.de wrote:
From: Florian Weimer fwei...@bfk.de
Subject: Re: DNSSEC DSSET KEYSET
To: prock...@yahoo.com
* prock:
Is there a tool/process to verify if the parenet domain has DSSET,
KEYSET, or keys in place for the child domain? Thanks.
No, such parent domain policies are not obvious from looking at the
DNS.
--
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH
That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust
anchor, is there a sanity check similar to what you displayed below?
--- On Thu, 1/28/10, Evan Hunt e...@isc.org wrote:
From: Evan Hunt e...@isc.org
Subject: Re: DNSSEC DSSET KEYSET
On 01/28/10 07:57, prock...@yahoo.com wrote:
That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust
anchor, is there a sanity check similar to what you displayed below?
If you mean ISC DLV registry, that service continually does sanity
On Jan 28 2010, Florian Weimer wrote:
* prock:
In a DNSSEC compliant world (I know we're not there yet) we need to
give a copy of our DSSET and KEYSET to our parent domain. Please
confirm that is an accurate statement.
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
* Chris Thompson:
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
Demanding DNSKEY RRs can prolong the life of signature schemes with
certain weaknesses (which might be helpful at some point in the
future).
I take it you refer there to the digest type field in the DS record?
On Thu, Jan 28, 2010 at 03:42:11PM +, Evan Hunt wrote:
Is there a tool/process to verify if the parenet domain has DSSET,
KEYSET, or keys in place for the child domain? Thanks.
dig ds yourdomain, and check that a) DS records are returned, and
B) the first field of at least some of
On Jan 28 2010, Joseph S D Yao wrote:
On Thu, Jan 28, 2010 at 03:42:11PM +, Evan Hunt wrote:
Is there a tool/process to verify if the parenet domain has DSSET,
KEYSET, or keys in place for the child domain? Thanks.
dig ds yourdomain, and check that a) DS records are returned, and
B)
On Thu, 28 Jan 2010, prock...@yahoo.com wrote:
So my question is, is there a way through DIG (or some other utility) to
confirm that the parent domain has the DSSET and KEYSET records required to
support the child domain?
http://opensource.iis.se/trac/dnscheck/
$ dnscheck -test=dnssec
In message 888060.89769...@web110304.mail.gq1.yahoo.com, prock...@yahoo.com
writes:
In a DNSSEC compliant world (I know we're not there yet) we need to give a co
py of our DSSET and KEYSET to our parent domain. Please confirm that is an a
ccurate statement.
More correctly the parent needs
12 matches
Mail list logo
