[dns-operations] .biz DNSSEC failure?

Paul Wouters paul at cypherpunks.ca
Sat Jun 22 21:52:23 UTC 2013


On Sat, 22 Jun 2013, Vernon Schryver wrote:

>> It's something that a signer solution should really check for before
>> allowing a zone to be pushed, even if that means some kind of internet
>> connectivity to get those DS records.
>
> If a "signer solution" is something done by, for, or in a parent
> domain (e.g. the gTLD operator, registry, or registrar),
> thanks but no thanks.

No. I meant the signer that actually signs the child zone, should verify
that it indeed will not cause an invalid child to be published by
rolling a key, leaving its child zone with just bogus DS records at the
parent.

Paul



More information about the dns-operations mailing list