Re: DNSSEC validation works with DLV, but not with just trusted-key
Hanno Böck wrote: dig baddata-A.test.dnssec-tools.org @localhost There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with known-broken dnssec records with a full trust chain? -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
Hanno Böck wrote: Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with known-broken dnssec records with a full trust chain? I've been meaning to set some up, but at this moment, I'm not aware of any. Setting up your trust-anchor with the DNSKEY from dnssec-tools.org would be only one level worse than using the DNSKEY from .org Setting up validator using the key from dnssec-tools.org should be able to prove your point... AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
Or one could use DLV to provide the trust linkage. dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E282 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
In message 200911252202.napm2asg000...@drugs.dv.isc.org, Mark Andrews writes: Or one could use DLV to provide the trust linkage. dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E 282 Should have read the subject more closely. :-) In any case as Alan said, there needs to be a trusted path from a trust anchor to the data. DLV provides that trusted path. ORG will soon once they leave the friends and family stage. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users