[dns-operations] Online DNSSEC debugging tool now availalbe

Peter Koch pk at DENIC.DE
Mon Jul 19 15:52:24 UTC 2010

On Mon, Jul 19, 2010 at 03:04:36PM +0000, bmanning at vacation.karoshi.com wrote:

> 	additionally, if the origin of the validation request is laptoy.example.NET,
> 	then the "closest" TA for www.example.org would not be the TA for .org,
> 	it would be the TA for .  -- right?  (the iterative/recursive mode of DNS tree walking)

all this "tree walking" starts at the root anyway.  And DNS hierarchy doesn't
match organizational hierarchy, so the DNS name (if there is one) of the
validator has no role in this game.
Of course, from an operational perspective, it is wise to make sure the
resolution of your "own" domain names works independently of external
influence.  "Own" of course is a matter of local policy, not to be
fully deduced from the name of the resolver/validator.


More information about the dns-operations mailing list