Collaborate Disseminate
RFC 4035, section 5.3.1 lays out the rules for validating DNSSEC RRSIG records:
The RRSIG RR and the RRset MUST have the same owner name and the same class.
The RRSIG RR’s Signer’s Name field MUST be the name of the zone that contains th… Continue reading How to validate DNSSEC signatures – zone cuts?
I’m looking for a compact, canonical (and possibly but not necessarily human-readable) format for serializing the signature chain for a RRset (or proof that it lies under an insecure delegation) for permanent recording and offline checking… Continue reading Tooling and serialization format for DNSSEC signture chain
I’m adopting/setting up DNSSEC on my domains for the first time, and curious about the practical benefits I can expect. In theory, regardless of whether client/stub resolvers want checking, recursive nameservers can request signature chain… Continue reading What portion of recursive (ISP, public, etc.) nameservers validate DNSSEC strictly?