[Dnssec-deployment] Re-introduction of .de subdomains into ISC's DLV

Edward Lewis Ed.Lewis at neustar.biz
Tue Jun 14 09:40:26 EDT 2011


At 18:05 -0700 6/13/11, David Conrad wrote:

>I'm probably missing something obvious, but given DE was signed with its DS
>in the root, what benefit does putting DE's sub-domains back in ISC's DLV
>bring?

A "sub-domain" of DE need not be delegated from the DE zone.  There 
may be intermediate zones.

At 10:47 +0200 6/14/11, W.C.A. Wijngaards wrote:

>Unbound has the same policy.  Thus, the root trust-anchor wins if it has
>a chain to the root and a DLV-chain.

Why is there a "winner" (unless I'm reading too much into that). 
Ties are good too.  I.e., if the DS-based trust chain validates OR 
the DLV chain validates, the data ought to be accepted.  Even if the 
OR is exclusive.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

I'm overly entertained.


More information about the Dnssec-deployment mailing list