Thanks Leen Besselink & Jan-Piet Mens. I now have bit better understanding, related to DLV registry & DNSSEC. So it should be added/done by the Authority (Alternative Root DNS operator) who is maintaining (set of) TLDs, outside of icann/iana.
So for a better & successful DNSSEC validation, other than adding their own DS, RRSIG records for set of TLDs, a TLD / AltRootDns operator needs to add some of those record info inside DLV registry as well. pls see my other email for other issues i'm having. On 8/23/2012 3:32 AM, Leen Besselink wrote: > On Thu, Aug 23, 2012 at 12:22:03PM +0200, Jan-Piet Mens wrote: >>> The solution for not having to create such a large configuration file might >>> be that someone, probably the alternative root or TLD operators, could >>> create >>> a DLV-registery. >> >> DLV is basically a DNS zone which contains a DLV RR for each domain it >> handles. The rdata of the DLV is what you'd normally put in the DS RR >> for the zone. >> >> e.g. >> >> $ dig +noall +answer qupps.biz DS >> qupps.biz. 3899 IN DS 27112 5 1 >> 483610EFD4991F0AC114F44747061E3603D56C86 >> >> $ dig +noall +answer qupps.biz.dlv.isc.org DLV >> qupps.biz.dlv.isc.org. 3356 IN DLV 27112 5 1 >> 483610EFD4991F0AC114F44747061E3603D56C86 >> >> Regards, >> >> -JP > > It was mostly the details I wasn't sure about. > > The first thing I would try is to create an alternative unsigned root and a > DLV-repository > with all the signed TLDs, then you add a trust-anchor for the domain of the > DLV-repository > to the recursor. I would guess that would work. > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
