To coincide with today's webcast about DNSSEC [1], I changed how the dshield.org zone is DNSSEC signed. The zone itself has been signed for a while now, but I used "look aside validation" via isc.org . For a few months now, it has been possible to have .org zones directly signed by .org, and I decided to give it a try. Please let me know if you see any issues. If you plan to deploy DNSSEC yourself, see Verisign's [3] nice testing tool as well as the visualization tool by DNSVIZ [4]. [1] https://www.sans.org/webcasts/isc-threat-update-20110413-94083 ------ |
Johannes 4475 Posts ISC Handler Apr 14th 2011 |
Thread locked Subscribe |
Apr 14th 2011 1 decade ago |
Hello,
interesting and I view this as positive. However, is there a specific (security related ?) reason for having multiple (3 at this moment) orphaned DS records for dshield.org. in the org. zone ? ksk keyid "10590" missing from domain ksk keyid "52013" missing from domain ksk keyid "62013" missing from domain Kind regards, Marc Lampo EURid vzw/asbl Security Officer |
Anonymous |
Quote |
Apr 18th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!