[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation
Leen Besselink
leen at consolejunkie.net
Thu Aug 23 10:32:52 UTC 2012
On Thu, Aug 23, 2012 at 12:22:03PM +0200, Jan-Piet Mens wrote:
> > The solution for not having to create such a large configuration file might
> > be that someone, probably the alternative root or TLD operators, could create
> > a DLV-registery.
>
> DLV is basically a DNS zone which contains a DLV RR for each domain it
> handles. The rdata of the DLV is what you'd normally put in the DS RR
> for the zone.
>
> e.g.
>
> $ dig +noall +answer qupps.biz DS
> qupps.biz. 3899 IN DS 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86
>
> $ dig +noall +answer qupps.biz.dlv.isc.org DLV
> qupps.biz.dlv.isc.org. 3356 IN DLV 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86
>
> Regards,
>
> -JP
It was mostly the details I wasn't sure about.
The first thing I would try is to create an alternative unsigned root and a DLV-repository
with all the signed TLDs, then you add a trust-anchor for the domain of the DLV-repository
to the recursor. I would guess that would work.
More information about the Unbound-users
mailing list