[Opendnssec-develop] Re: [OpenDNSSEC] #67: Opendnssec +DLV (lookaside)

OpenDNSSEC owner-dnssec-trac at kirei.se
Tue Dec 22 14:27:35 UTC 2009 

#67: Opendnssec +DLV (lookaside)
------------------------------------+---------------------------------------
Reporter:  archi.laurent@…          |        Owner:  matthijs  
    Type:  enhancement              |       Status:  closed    
Priority:  trivial                  |    Component:  Signer    
 Version:  trunk                    |   Resolution:  worksforme
Keywords:  DLV (lookaside)          |  
------------------------------------+---------------------------------------
Changes (by rb):

  * status:  new => closed
  * resolution:  => worksforme


Comment:

 Hi Archi

 It is true that you can have a DLV record in your zone (as a resource
 record in your zone file). But OpenDNSSEC will not be used as a resolver.
 OpenDNSSEC will only be used for signing. So you do not need to do
 anything special to use DLV RR in your zone.

 From RFC5074:

 "DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS
 Security (DNSSEC) trust anchors outside of the DNS delegation chain. It
 allows validating resolvers to validate DNSSEC-signed data from zones
 whose ancestors either aren't signed or don't publish Delegation Signer
 (DS) records for their children."

 From RFC4431:

 "The DLV resource record has exactly the same wire and presentation
 formats as the DS resource record, defined in RFC 4034, Section 5. It uses
 the same IANA-assigned values in the algorithm and digest type fields as
 the DS record.  (Those IANA registries are known as the "DNS Security
 Algorithm Numbers" and "DS RR Type Algorithm Numbers" registries.)

 The DLV record is a normal DNS record type without any special processing
 requirements.  In particular, the DLV record does not inherit any of the
 special processing or handling requirements of the DS record type
 (described in Section 3.1.4.1 of RFC 4035).  Unlike the DS record, the DLV
 record may not appear on the parent's side of a zone cut.  A DLV record
 may, however, appear at the apex of a zone."

-- 
Ticket URL: <http://trac.opendnssec.org/ticket/67#comment:1>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC

More information about the Opendnssec-develop mailing list