Hanno Böck wrote:
Am Mittwoch 25 November 2009 schrieb Alan Clegg:
There is no DS record for dnssec-tools.org in .org (chain of trust is
broken), so you can't validate the response -- thus the data being
passed back to you.
Ok, that explains it.
Are there any example domains with known-broken dnssec records with a full
trust chain?
I've been meaning to set some up, but at this moment, I'm not aware of any.
Setting up your trust-anchor with the DNSKEY from dnssec-tools.org would
be only one level worse than using the DNSKEY from .org
Setting up validator using the key from dnssec-tools.org should be able
to prove your point...
AlanC
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
