The current state of the DNS is that the root zone is signed, and
EVERYTHING delegated from it is signed by the root zone. Once you get
below that, the lack of signatures on a zone is left as an exercise for
the admins of that zone. (example.com can be delegated from the
[signed] COM zone without being signed, and that's all good and fine and
DNSSEC=auto handles that just fine.)
What doesn't work is when the admin chooses to use an undelegated top-
level domain (TLD), which won't be signed by the root key, and therefore
fails DNSSEC validation.
Especially given the recent changes in what constitutes a valid TLD, the
admin choosing to use a TLD oftheir own choosing is hoping from their
hearts that there will never be sufficient demand for that TLD to cause
it to be creeated and subdomains sold therein by various registries.
Because when that happens, and their users want to access things in that
newly-created TLD, then they will get to go and change all of their
domain names to avoid that.
Properly delegating children (whether that is published publicly or not)
from domain names that are actually under the control of the admin is
the only sane way of doing this.
** Changed in: bind9 (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1500683
Title:
By default DNSSEC is enabled with automatic keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1500683/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
