View Single Post
  #5   (View Single Post)  
Old 30th January 2010
Knobee Knobee is offline
Real Name: Alan Clegg
New User
 
Join Date: Jan 2010
Location: Apex, NC, USA
Posts: 9
Default

nameservers don't talk to each other "with DNSSEC" -- an outbound query with the DO bit (DNSSEC OK) set tells the upstream server that yours is capable of dealing with DNSSEC replies, in which case you will get RRSIG responses in addition to the actual response to the query that was asked.

It's then up to you to do something with that RRSIG (validation step).

You will need to configure trust anchors on your server if you wish to validate on behalf of the client systems...

I wrote a short paper last year that may be able to help you out, but since I don't have enough "points" to post a URL, you can search for it:

"DNSSEC in 6 minutes"

If you have any questions, feel free to contact me directly (contact info in PDF) or ask on the bind-users mailing list. bind-users can be found again, via google, or look around on the isc.org website.

Knobee

EDIT: DNSSEC in 6 minutes

Last edited by J65nko; 30th January 2010 at 03:22 PM. Reason: URL added by J65nko
Reply With Quote