On Tue, 2010-07-06 at 23:12 +0300, Duane Wessels wrote: > On Jul 6, 2010, at 1:04 PM, Tim Verhoeven wrote: > > > So this needs to be configurable behavior. Does anyone know what the > > policy on this is by the root zone ? > > The root zone also requires the DNSKEY to be present in the child zone. > > see > http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf > > At the time of the trust anchor request, there must be a DNSKEY > that matches the DS record present in the child zone.
The document seems to say that it is possible to publish a DS record even if the corresponding DNSKEY is not present in the child zone, if it is "by design and can can be demonstrated not to affect the stability of the TLD or the root zone". Actually it seems that at least cz. has such a DS record published in the root zone at the moment. Regards, Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
