On Apr 6, 2017, 2:32 AM -1000, Paul Vixie <[email protected]>, wrote: > if you want to run yeti-style, there are some perl scripts that will > fetch and verify the root zone, edit the apex NS and DNSKEY RRsets, > re-sign with your local key, and give you a zone you can run on several > servers inside your internal network, such that you can point your > "hints" and your dnssec anchor at servers you control, for all your > internal-network recursives,
Not so sure this is something I'd go about recommending to pretty much anyone other than hardcore, very experienced DNS/DNSSEC protocol geeks since it pretty much defeats the purpose of DNSSEC (edit the apex? ugh) and requires all relying devices to configure a "non-default" trust anchor or suffer SERVFAILs. Regards, -drc
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
