On 2010-07-16 12:36, Alan Clegg wrote: > .net isn't signed, and you don't sign "out-of-zone" data (glue and > delegation NS records).
But org. is signed, and gives the same result. But anyway, it basically boils down to: > On 7/16/2010 6:25 AM, Niobos wrote: >> It's probably just my lack of knowledge Trying to enhance that: Am I correct to state that it's not possible to validate a delegation NS RRset? You can only validate it indirectly by checking if the DS at the parent matches the DNSKEY in the (presumed) child. It appears that DNSSEC was designed to verify from the QNAME back up to the root. I was trying to do it the other way around, hence my confusion. thx, Niobos _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
