[dnssec-deployment] Status of NSEC3?
Sam Weiler
weiler at tislabs.com
Mon Aug 27 20:37:48 EDT 2007
On Fri, 24 Aug 2007, Dan Mahoney, System Admin wrote:
> Maybe I'm unclear on EXACTLY how DLV works, but is it not possible
> [to ...] zone-walk the DLV registry to build a series of
> trusted-keys statements suitable for one's own named.conf, even if
> one does not wish to run DLV validation for "everything"?
Yes (with an extra step or two). The DLV RRs have a hash of the
DNSKEY (just like the DS record), but BIND's named.conf syntax
requires the full key. So you walk the DLV registry, then query for
(and validate!) each of the corresponding DNSKEYs.
Note that there's a movement afoot to standardize on the DS record as
the format for trust anchors, which would eliminate the extra steps.
http://tools.ietf.org/wg/dnsop/draft-larson-dnsop-trust-anchor-01.txt
On the other hand, if you're going to be grabbing DLV RRs in bulk,
might it make more sense to go entirely out of band and download a
tarball (assuming that the DLV registry operator provided one)? In
either case, you also have the question of how often to check the DLV
registry (or the tarball) for changes.
> Or is the cryptography somehow...different?
Not at all.
-- Sam
More information about the Dnssec-deployment
mailing list