Getting those DNSSEC keys, was Re: [dnssec-deployment] dot MUSEUM implemented DNSSEC

Shane Kerr shane at
Fri Sep 19 11:59:07 EDT 2008

On Fri, 2008-09-19 at 11:25 -0400, Dan Mahoney, System Admin wrote:
> >
> > Though I think someone should put up a trusted keys page that's easier
> > to configure in existing software. (eg bind/unbound include file, though
> > I'd prefer one TLD per file, so people can easilly add/remove entries).


> True, but in the absence of a signed root, that could lead to people 
> blindly pasting the whole thing into their named.conf -- which while it 
> might encourage more widespread adoption, opens us up to a trust attack -- 
> i.e. if all the keys are there, why would joe-sysadmin think signing the 
> root is important?

Uh huh.

Have you set up a DNSSEC-verifying resolver? I just did this last week,
looking around for information on various signed sources. I decided to
use DLV to get as much DNSSEC-goodness as possible.

The quality varies *widely* (at least from naive Google-based approach).
Here are the comments in my named.conf:

// DLV keys
// announcements to <dlv-announce at>

// RIPE keys
// announcements to <dnssec-announce at>

// SE keys
// announcements to <dnssec-announce at>

// BR keys (BR is also in DLV)

// PR keys
// *** no announcement list ***

// CZ keys
// *** no announcement list ***

// BG keys
// ???... some keys

Some sites have nice SSL-verified sites and PGP-signed announcements on
mailing lists, with published policies. Others... less so.

So if Paul's site has a simple list of URL's (and maybe notes) like I
used, it's good enough. Really. It would have saved me a couple hours at


More information about the Dnssec-deployment mailing list