On Nov 20 2008, Stephane Bortzmeyer wrote:
On Thu, Nov 20, 2008 at 11:55:17AM +0000,
Chris Thompson <[EMAIL PROTECTED]> wrote
a message of 33 lines which said:
The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?
Sure you do. How could a validator use it if you didn't?
Because it is published as a trust anchor?
In theory, I suppose that's true: the named.conf trusted-keys entries are
just the textual representation of a KSK. (I've not seen a secure zone
actually configured to leave out the KSK, though, so I'm not sure this
would work.)
But who wants to publish trust anchors? Much better to get the KSK
validated from the parent zone (DS record) or a trusted source (DLV record).
And neither of those have enough data to actually *reconstruct* the KSK.
--
Chris Thompson
Email: [EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
