> Is there a tool/process to verify if the parenet domain has DSSET, > KEYSET, or keys in place for the child domain? Thanks.
"dig ds <yourdomain>", and check that a) DS records are returned, and B) the first field of at least some of the DS records match the key ID of the key-signing key for your zone. For example, isc.org is using key 12892: $ dig +short ds isc.org 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 ...so we're fine. And of course, you could also configure a validating resolver (or drill or dig +sigchase) with a trust anchor for the parent, and make sure the validation process works. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users