[Opendnssec-develop] Re: Signing the root

Jakob Schlyter jakob at kirei.se
Fri Feb 12 22:05:05 UTC 2010


On 12 feb 2010, at 07.45, Rickard Bellgrim wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>  
> > How should you configure OpenDNSSEC to sign the root? How do we want
> > OpenDNSSEC to behave?
>  
> Would it be possible to change OpenDNSSEC so that we use zone names with the trailing dot? Including in the zonelist?

we should have a common way of canonicalizing the zone name, so we always add a trailing dot if it is missing. this would make "" become "." and "xyzzy.se" become "xyzzy.se.".

now that 1.0.0 has been shipped, we also need to upgrade any existing data upon upgrade if we make this change.

OR we just use zone names without trailing dot but encode root as "." anyway.

	jakob




More information about the Opendnssec-develop mailing list