That makes it clear for me; thank you very much! As an unrelated side-note: does anyone know when org.'s DS will be included in the root zone?
Niobos On 2010-07-16 14:08, Alan Clegg wrote: >> Trying to enhance that: Am I correct to state that it's not possible to >> validate a delegation NS RRset? >> You can only validate it indirectly by checking if the DS at the parent >> matches the DNSKEY in the (presumed) child. > > And that the NS in the child is signed by the ZSK that is signed by the > KSK that matches the DS in the parent. > > The parent is not allowed to sign the NS records (nor glue), as it does > not truly 'own' the data -- only the child has that responsibility. > >> It appears that DNSSEC was designed to verify from the QNAME back up to >> the root. I was trying to do it the other way around, hence my confusion. > > A leap of faith (trust anchor) provides a validatable zone which > contains a DS record which validates a child DNSKEY which provides a > validatable zone which ... but you start by doing a query for the QNAME > for which you were interested in and then chasing backwards, so yes. > > I highly recommend http://dnsviz.net as a path to enlightenment. > > AlanC _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
