Tony,
Thanks for the observations!
My comments about intent and zone data size is based upon information that was
presented at Infoblox training classes I have attended. I would assume that
Infoblox being Infoblox would be (mostly) accurate when it comes to developing
a slide deck. However,
John W. Blue wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for about 10 years (so
I wasn't around until most of the design arguments were settled), but I
don't remember seeing any
Anne,
Nothing prevents anyone from using DNSSEC internally but, as I understand it,
that was not the intent. Additionally, if there is an obligation to validate
zones internal to an organization that in of itself should be a really big red
flag something is wrong with trust relationships.
So
Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option, "validate-except",
> which permanently disables validation below specified domains. This can
> be used, for example, if you have an internal network using a fake TLD
> and you want to prevent it from showi
Evan Hunt wrote:
>
> There's a way now for a signed domain to send an in-band signal to its
> parent that the DS RRset needs updating. A new tool "dnssec-cds" is
> available to help with this. AFAIK this mechanism hasn't been adopted by
> any TLDs yet, but may be of interest anyway.
.ch https://w
Mark Elkins wrote:
>
> 2) When a Zone is signed, you will be given some DS Records - which need to be
> passed on for inclusion into the Parent Zone. Currently, BIND creates two DS
> keys.
> You'll find them inside "dsset-Zone.being.signed".
... if you are using dnssec-signzone, but I would not r
On 2019/09/23 23:00, John W. Blue wrote:
Jukka,
Some odds n ends in no particular order:
1. DNSSEC was designed for external zones
1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new
key creations
dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed
This
7 matches
Mail list logo
