[dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care?
Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Oct 23 11:16:08 CEST 2008
On Tue, Oct 21, 2008 at 10:59:46AM -0400, Paul Wouters <paul at xelerance.com> wrote a message of 10 lines which said: > Why should these be in the DLV ? Because, otherwise, how could I validate domains under ".br" and ".cz"? By trying to find a public key on their (https) Web site and adding it as a trust anchor? By exchanging PGP-signed email with Federico or Ondrej? This does not scale. > I'd rather see people configure their resolvers properly. What is a proper configuration? My BIND has: dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; dnssec-validation yes; include "/etc/bind/trust-anchors"; // A few DNSKEY for domains // I was able to check personnally Better suggestions are welcome. > Will this cause people who use properly configured resolvers to send > DLV requests for those TLD's? If "properly configured" is the configuration above, yes :-)
[ dns-wg Archives ]