[dns-operations] Some DNSSEC trivia

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jan 8 09:14:44 UTC 2008

On Mon, Jan 07, 2008 at 09:08:08PM +0000,
 Lutz Donnerhacke <lutz at iks-jena.de> wrote 
 a message of 50 lines which said:

> Type e) problems occur, if your are signing an 'fr' zone and using a
> recursive as well as authoritive NS for this zone. If you turn on
> validation and switch to, e.g. a different - signed - root, the
> FR-NIC removes the zone delegation from the FR zone, because their
> ongoning valitity checks fail to return the "correct ICANN NS for
> .".

Let me fix some misconceptions about ".fr" technical checks.

1) The checks are only done at creation time. After that, you can break
your zone at will, AFNIC (the registry) will not delete it. There are
no periodic DNS patrols.

2) The tests for the root name servers you use are done *only* if the
name server is recursive, as seen from the world (a bad practice,
anyway). So, if you follow the Good Common Practices, you have
separate authoritative servers and recursive servers and AFNIC only
will test the authoritative ones, you can do anything you want with
the recursive ones.

More information about the dns-operations mailing list