[dnssec-deployment] Status of NSEC3?

Sam Weiler weiler at tislabs.com
Mon Aug 27 20:37:48 EDT 2007

On Fri, 24 Aug 2007, Dan Mahoney, System Admin wrote:

> Maybe I'm unclear on EXACTLY how DLV works, but is it not possible 
> [to ...] zone-walk the DLV registry to build a series of 
> trusted-keys statements suitable for one's own named.conf, even if 
> one does not wish to run DLV validation for "everything"?

Yes (with an extra step or two).  The DLV RRs have a hash of the 
DNSKEY (just like the DS record), but BIND's named.conf syntax 
requires the full key.  So you walk the DLV registry, then query for 
(and validate!) each of the corresponding DNSKEYs.

Note that there's a movement afoot to standardize on the DS record as 
the format for trust anchors, which would eliminate the extra steps.

On the other hand, if you're going to be grabbing DLV RRs in bulk, 
might it make more sense to go entirely out of band and download a 
tarball (assuming that the DLV registry operator provided one)?  In 
either case, you also have the question of how often to check the DLV 
registry (or the tarball) for changes.

> Or is the cryptography somehow...different?

Not at all.

-- Sam

More information about the Dnssec-deployment mailing list