In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote: > Note that if you do turn on DNSSEC, you're going to have to make sure > the trust anchors you configure get updated. Trust anchors have a > validity period and if they're not updated before they expire > validation will fail (which will appear to users of the resolver > pretty much like a DNS failure for all the names in the signed zone). > "Be careful out there."
While signing the root is the best solution, an alternate solution until that happens is DLV, as documented in RFC 4431. You can run your own setup, or trust someone to do it for you. Note that ISC runs a DLV registry, if you wanted to trust them: https://secure.isc.org/index.pl?/ops/dlv/ -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
pgpL8cEN8bsLy.pgp
Description: PGP signature
