Michael wrote: >> It depends on what you are trying to do... >> >> SSL certificates are not used in DNSSEC, so if you are talking about "to >> deploy DNSSEC", then the answer is NO. >> >> If you are trying to secure your http, pop, imap, etc. sessions, and a >> self-signed certificate is not enough then yes, you need to buy a >> "certificate" > > I'm talking about DNS SEC (signed zones)... so in other words I can't sign a > zone with a CA issued certificate. Signing a zone and doing SSL are two different things, both using cryptography (and the associated mathematics), but are not done in the same way.
I recommend that you take a look at: http://www.nlnetlabs.nl/dnssec_howto/ AlanC