In message <888060.89769...@web110304.mail.gq1.yahoo.com>, "prock...@yahoo.com"
writes:
> In a DNSSEC compliant world (I know we're not there yet) we need to give a co
> py of our DSSET and KEYSET to our parent domain. Please confirm that is an a
> ccurate statement.
More correctly the parent n
On Thu, 28 Jan 2010, prock...@yahoo.com wrote:
So my question is, is there a way through DIG (or some other utility) to
confirm that the parent domain has the DSSET and KEYSET records required to
support the child domain?
http://opensource.iis.se/trac/dnscheck/
$ dnscheck -test=dnssec xeler
On Jan 28 2010, Joseph S D Yao wrote:
On Thu, Jan 28, 2010 at 03:42:11PM +, Evan Hunt wrote:
> Is there a tool/process to verify if the parenet domain has DSSET,
> KEYSET, or keys in place for the child domain? Thanks.
"dig ds ", and check that a) DS records are returned, and
B) the firs
On Thu, Jan 28, 2010 at 03:42:11PM +, Evan Hunt wrote:
>
> > Is there a tool/process to verify if the parenet domain has DSSET,
> > KEYSET, or keys in place for the child domain? Thanks.
>
> "dig ds ", and check that a) DS records are returned, and
> B) the first field of at least some of th
* Chris Thompson:
>>Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
>>Demanding DNSKEY RRs can prolong the life of signature schemes with
>>certain weaknesses (which might be helpful at some point in the
>>future).
>
> I take it you refer there to the digest type field in the DS
On Jan 28 2010, Florian Weimer wrote:
* prock:
In a DNSSEC compliant world (I know we're not there yet) we need to
give a copy of our DSSET and KEYSET to our parent domain. Please
confirm that is an accurate statement.
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
Demand
On 01/28/10 07:57, prock...@yahoo.com wrote:
That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust
anchor, is there a sanity check similar to what you displayed below?
If you mean ISC DLV registry, that service continually does sanity
chec
That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust
anchor, is there a sanity check similar to what you displayed below?
--- On Thu, 1/28/10, Evan Hunt wrote:
> From: Evan Hunt
> Subject: Re: DNSSEC DSSET & KEYSET
> To: "prock...@yahoo.c
> Is there a tool/process to verify if the parenet domain has DSSET,
> KEYSET, or keys in place for the child domain? Thanks.
"dig ds ", and check that a) DS records are returned, and
B) the first field of at least some of the DS records match the key ID of
the key-signing key for your zone. Fo
* prock:
> Is there a tool/process to verify if the parenet domain has DSSET,
> KEYSET, or keys in place for the child domain? Thanks.
No, such parent domain policies are not obvious from looking at the
DNS.
--
Florian Weimer
BFK edv-consulting GmbH http://www.bfk.de/
Kri
Is there a tool/process to verify if the parenet domain has DSSET, KEYSET, or
keys in place for the child domain? Thanks.
--- On Thu, 1/28/10, Florian Weimer wrote:
> From: Florian Weimer
> Subject: Re: DNSSEC DSSET & KEYSET
> To: "prock...@yahoo.com"
> Cc: bind-users@lists.isc.org
> Date:
* prock:
> In a DNSSEC compliant world (I know we're not there yet) we need to
> give a copy of our DSSET and KEYSET to our parent domain. Please
> confirm that is an accurate statement.
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
Demanding DNSKEY RRs can prolong the life o
In a DNSSEC compliant world (I know we're not there yet) we need to give a copy
of our DSSET and KEYSET to our parent domain. Please confirm that is an
accurate statement.
So my question is, is there a way through DIG (or some other utility) to
confirm that the parent domain has the DSSET and
13 matches
Mail list logo
