On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: >> > >> > So, for example 'fedoraproject.org' wouldn't be signed, but >> > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't >> > gotten it to work. If I can get that to work though I guess that makes >> > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec >> > will continue to mature. >> >> No, that wouldn't really work, because then you couldn't trust lookups >> from the fedoraproject.org zone, which would include delegations to >> the subdomains, the main website itself, MX records, etc. >> > > But if fedoraproject.org pointed to some place that wasn't signed or was > signed incorrectly, wouldn't that fail? fedoraproject.org can't be a CNAME because it has other records like MX, NS, SOA, etc. We'd have to switch to using 'www.fedoraproject.org' which could be a CNAME into an unsigned subzone. But then you'd still have the problem of relying on an unsigned zone serving up DNS data, eventually no one is going to trust it. -- Jeff Ollie _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
