[dnssec-deployment] Signed Root @ IANA
Lutz Donnerhacke
lutz at iks-jena.de
Fri Aug 3 03:48:22 EDT 2007
* richard.lamb wrote:
> Although only a rough experiment, I have a simple minded DS record acceptor
> at https://ns.iana.org/dnssec/ds/queryds/cgi
> It only addresses the DNSSKEY to DS direction. You type in a TLD; it "digs"
> for the DNSKEY from the 'net (so that a bogus one cant easily be
> introduced); computes the corresponding DS record; presents it to the user
> for acceptance; if accepted, sends it to the zonesigners for inclusion in
> the next root signing.
That's the same techninology, SE is using. It's is fine.
Pleas extend this form to accept also the in-addr.arpa, ip6.arpa, int and
other zones you are signing.
Especially the reverse zones are most interesting, because the reverse
delegatation signing is far wider deployed than forward zone signing.
A signed root without signed arpa, in-addr.arpa, and ip6.arpa is nearly
useless.
More information about the Dnssec-deployment
mailing list