In message <[EMAIL PROTECTED]>, Chris Tho mpson writes: > On Nov 20 2008, Stephane Bortzmeyer wrote: > > >On Thu, Nov 20, 2008 at 11:55:17AM +0000, > > Chris Thompson <[EMAIL PROTECTED]> wrote > > a message of 33 lines which said: > > > >>> The text you quote is for DNS publication. But you typically do not > >>> put KSK in the DNS, no? > >> > >> Sure you do. How could a validator use it if you didn't? > > > >Because it is published as a trust anchor? > > In theory, I suppose that's true: the named.conf trusted-keys entries are > just the textual representation of a KSK. (I've not seen a secure zone > actually configured to leave out the KSK, though, so I'm not sure this > would work.) > > But who wants to publish trust anchors? Much better to get the KSK > validated from the parent zone (DS record) or a trusted source (DLV record). > And neither of those have enough data to actually *reconstruct* the KSK. s/reconstruct/identify/
> -- > Chris Thompson > Email: [EMAIL PROTECTED] > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users