[dns-operations] .biz DNSSEC failure?

Richard Lamb richard.lamb at icann.org
Mon Jun 24 13:09:11 UTC 2013

...impo I agree, the domain holder should be able to get whatever ds they want included whether it validates or not ( market forces rule and all that...).  It is too bad these signers don't automatically test before firing. Every signing script I have ever written (and some in production) verifies ds-ksk-zsk before committing or exits and sends email if not.  I assumed everyone did much more than my rudimentary tests.


Sent from my iPhone

On Jun 22, 2013, at 17:53, "Paul Wouters" <paul at cypherpunks.ca> wrote:

> On Sat, 22 Jun 2013, Vernon Schryver wrote:
>>> It's something that a signer solution should really check for before
>>> allowing a zone to be pushed, even if that means some kind of internet
>>> connectivity to get those DS records.
>> If a "signer solution" is something done by, for, or in a parent
>> domain (e.g. the gTLD operator, registry, or registrar),
>> thanks but no thanks.
> No. I meant the signer that actually signs the child zone, should verify
> that it indeed will not cause an invalid child to be published by
> rolling a key, leaving its child zone with just bogus DS records at the
> parent.
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list