Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Viktor Dukhovni
Tue Jan 20 05:32:16 CET 2015

On Mon, Jan 19, 2015 at 10:21:36AM +0000, Tony Finch wrote:

> > > On Sat, Jan 17, 2015 at 10:08:48PM +0000, Viktor Dukhovni wrote:
> > >
> > >> Also, how would one configure unbound to use an auto-trust-anchor-file
> > >> via RFC 5011 for a given gTLD or ccTLD?
> > >
> > > Any comment on my second question?  If one enables RFC 5011 tracking
> > > for all the trust anchors one cares about, it is no longer necessary
> > > to worry about delegation-only above those trust anchors.
> I don't know of any zones other than the root which promise to follow the
> RFC 5011 key rollover timing requirements. (And even the root zone does it
> wrong by not having a standby KSK.)
> If you want to use RFC 5011 on a TLD you will have to inspect their
> DNSSEC Practice Statement with care.

Yes of course, that makes sense.  We're may not be quite there yet.
And yet at some point this may become more important, and so the
question is whether unbound is ready to support such non-root zones
if when they show up...

I can, for example, envision the ".de" TLD adopting such a policy,
and interested resolvers starting to track those keys per RC 5011,
thereby closing opportunities for the root zone keys to return
improper .de answers.