[dns-operations] Some DNSSEC trivia

Mark Andrews Mark_Andrews at isc.org
Tue Jan 8 11:25:57 UTC 2008

> On Mon, Jan 07, 2008 at 09:08:08PM +0000,
>  Lutz Donnerhacke <lutz at iks-jena.de> wrote 
>  a message of 50 lines which said:
> > Type e) problems occur, if your are signing an 'fr' zone and using a
> > recursive as well as authoritive NS for this zone. If you turn on
> > validation and switch to, e.g. a different - signed - root, the
> > FR-NIC removes the zone delegation from the FR zone, because their
> > ongoning valitity checks fail to return the "correct ICANN NS for
> > .".
> Let me fix some misconceptions about ".fr" technical checks.
> 1) The checks are only done at creation time. After that, you can break
> your zone at will, AFNIC (the registry) will not delete it. There are
> no periodic DNS patrols.

	Doesn't AFNIC believe in following RFC 1034?
	That REQUIRES periodic checks of delegations.

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list