[dns-operations] .biz DNSSEC failure?
richard.lamb at icann.org
Mon Jun 24 13:09:11 UTC 2013
...impo I agree, the domain holder should be able to get whatever ds they want included whether it validates or not ( market forces rule and all that...). It is too bad these signers don't automatically test before firing. Every signing script I have ever written (and some in production) verifies ds-ksk-zsk before committing or exits and sends email if not. I assumed everyone did much more than my rudimentary tests.
Sent from my iPhone
On Jun 22, 2013, at 17:53, "Paul Wouters" <paul at cypherpunks.ca> wrote:
> On Sat, 22 Jun 2013, Vernon Schryver wrote:
>>> It's something that a signer solution should really check for before
>>> allowing a zone to be pushed, even if that means some kind of internet
>>> connectivity to get those DS records.
>> If a "signer solution" is something done by, for, or in a parent
>> domain (e.g. the gTLD operator, registry, or registrar),
>> thanks but no thanks.
> No. I meant the signer that actually signs the child zone, should verify
> that it indeed will not cause an invalid child to be published by
> rolling a key, leaving its child zone with just bogus DS records at the
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
More information about the dns-operations