Being able to verify signatures is of no value.
The system only has value when you can act differently according to
whether the signature verifies or not.
I keep asking, but nobody will tell me how I get the keys for my
domains into the TLD.
This is not a trivial issue. There is a question of liability to be
addressed. So far ICANN and VeriSign Registry Services have addressed
the issue by booting it down the chain. But the system as a whole
cannot work until there is someone willing to accept the liability and
for that to happen they are going to require tools to manage their
litigation risk.
Does anyone know of a dotcom registrar offering key signing?
Or is the big plan here that everyone who is not going to accept
liability keep complaining about how far behind the registrars are
until they are forced to act?
On Fri, Jul 16, 2010 at 2:13 PM, Iljitsch van Beijnum
<iljitsch(_at_)muada(_dot_)com> wrote:
On 16 jul 2010, at 19:56, Ronald van der Pol wrote:
http://fanf.livejournal.com/107310.html
Thanks! That was very useful. I finally got it working.
Yes, me too.
I would also like to check the output for a zone that is verifyable not
correct. Any examples of signed RRs with an incorrect signature?
I skipped this step:
In the options section of named.conf you should have the directive
dnssec-lookaside auto;
This enables DNSSEC lookaside validation, which is necessary to bridge gaps
(such as ac.uk) in the chain of trust between the root and lower-level signed
zones
with the result that www.ietf.org, www.iab.org, www.isc.org, all fail to
validate. Not sure what the deal is there. Only www.nic.cat works. BTW, this
is great:
https://addons.mozilla.org/en-US/firefox/addon/64247/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf