That makes it clear for me; thank you very much!

As an unrelated side-note: does anyone know when org.'s DS will be
included in the root zone?

Niobos

On 2010-07-16 14:08, Alan Clegg wrote:
>> Trying to enhance that: Am I correct to state that it's not possible to
>> validate a delegation NS RRset?
>> You can only validate it indirectly by checking if the DS at the parent
>> matches the DNSKEY in the (presumed) child.
> 
> And that the NS in the child is signed by the ZSK that is signed by the
> KSK that matches the DS in the parent.
> 
> The parent is not allowed to sign the NS records (nor glue), as it does
> not truly 'own' the data -- only the child has that responsibility.
> 
>> It appears that DNSSEC was designed to verify from the QNAME back up to
>> the root. I was trying to do it the other way around, hence my confusion.
> 
> A leap of faith (trust anchor) provides a validatable zone which
> contains a DS record which validates a child DNSKEY which provides a
> validatable zone which ... but you start by doing a query for the QNAME
> for which you were interested in and then chasing backwards, so yes.
> 
> I highly recommend http://dnsviz.net as a path to enlightenment.
> 
> AlanC

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to