On May 6 2011, Mark Andrews wrote:
Once the parent zone is signed and is accepting DS/DNSKEY records for child zones there shouldn't be any need to add records to DLV.
Well, for some value of "should" ... It might be that the parent, although signed and accepting DS records, does not yet have a chain of trust back to the root, or via dlv.isc.org. It might be that although it does, you don't trust the parent's operational procedures enough to be sure that will continue to be the case, as compared with your ability to maintain your own records in dlv.isc.org. It might be that you want nameservers with restricted support for signing algorithms to be able to validate your zone. dlv.isc.org only needs RSASHA1 + NSEC, back to the root needs at least RSASHA256 and often NSEC3 as well. In fact, our main forward zone (cam.ac.uk) and main IPv4 reverse zone (111.131.in-addr.arpa) do now have DNSSEC chains of trust all the way from the root zone. But I haven't removed their entries from dlv.isc.org yet, and in fact am still quite undecided as to when it will be appropriate to do so. -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users