[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation
Bry8 Star
bry8star at yahoo.com
Fri Aug 24 03:50:21 UTC 2012
Thanks Leen Besselink & Jan-Piet Mens.
I now have bit better understanding, related to DLV registry & DNSSEC.
So it should be added/done by the Authority (Alternative Root DNS
operator) who is maintaining (set of) TLDs, outside of icann/iana.
So for a better & successful DNSSEC validation, other than adding their
own DS, RRSIG records for set of TLDs, a TLD / AltRootDns operator needs
to add some of those record info inside DLV registry as well.
pls see my other email for other issues i'm having.
On 8/23/2012 3:32 AM, Leen Besselink wrote:
> On Thu, Aug 23, 2012 at 12:22:03PM +0200, Jan-Piet Mens wrote:
>>> The solution for not having to create such a large configuration file might
>>> be that someone, probably the alternative root or TLD operators, could create
>>> a DLV-registery.
>>
>> DLV is basically a DNS zone which contains a DLV RR for each domain it
>> handles. The rdata of the DLV is what you'd normally put in the DS RR
>> for the zone.
>>
>> e.g.
>>
>> $ dig +noall +answer qupps.biz DS
>> qupps.biz. 3899 IN DS 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86
>>
>> $ dig +noall +answer qupps.biz.dlv.isc.org DLV
>> qupps.biz.dlv.isc.org. 3356 IN DLV 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86
>>
>> Regards,
>>
>> -JP
>
> It was mostly the details I wasn't sure about.
>
> The first thing I would try is to create an alternative unsigned root and a DLV-repository
> with all the signed TLDs, then you add a trust-anchor for the domain of the DLV-repository
> to the recursor. I would guess that would work.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
More information about the Unbound-users
mailing list