[dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care?
David Conrad drc at virtualized.org
Thu Oct 23 18:14:04 CEST 2008
Stephane, On Oct 23, 2008, at 2:16 AM, Stephane Bortzmeyer wrote: >> Why should these be in the DLV ? > Because, otherwise, how could I validate domains under ".br" and > ".cz"? IANA is planning on announcing the beta version of the IANA interim trust anchor repository during the upcoming RIPE meeting. This TAR uses the established trust relationships to obtain the trust anchors and publishes those trust anchors via an X.509 protected web site. > This does not scale. True, however it does scale for TLDs. > What is a proper configuration? My BIND has: > > dnssec-enable yes; > dnssec-lookaside . trust-anchor dlv.isc.org.; > dnssec-validation yes; I've always been curious why there are two binary switches for turning on DNSSEC in BIND (particularly since BIND always sets "DNSSEC OK", regardless of whether those switches are true or any trust anchors have been configured), but that's not your issue... > > include "/etc/bind/trust-anchors"; // A few DNSKEY for domains > // I was able to check personnally > > Better suggestions are welcome. FWIW, on my laptop, I have a really simple cronjob that fetches the root zone trust anchor from IANA's testbed and HUPs the server. However, I won't actually care about the ITAR itself, since I slave the root zone on my laptop and the IANA DNSSEC testbed root zone has all the TLD trust anchors to date and will continue to do so. The ITAR could, of course be fetched instead of the root zone trust anchor if you don't happen to trust IANA's generation of the root zone in its DNSSEC testbed. Regards, -drc
[ dns-wg Archives ]