Being able to verify signatures is of no value. The system only has value when you can act differently according to whether the signature verifies or not. I keep asking, but nobody will tell me how I get the keys for my domains into the TLD. This is not a trivial issue. There is a question of liability to be addressed. So far ICANN and VeriSign Registry Services have addressed the issue by booting it down the chain. But the system as a whole cannot work until there is someone willing to accept the liability and for that to happen they are going to require tools to manage their litigation risk. Does anyone know of a dotcom registrar offering key signing? Or is the big plan here that everyone who is not going to accept liability keep complaining about how far behind the registrars are until they are forced to act? On Fri, Jul 16, 2010 at 2:13 PM, Iljitsch van Beijnum <iljitsch@xxxxxxxxx> wrote: > On 16 jul 2010, at 19:56, Ronald van der Pol wrote: > >>> http://fanf.livejournal.com/107310.html > >> Thanks! That was very useful. I finally got it working. > > Yes, me too. > >> I would also like to check the output for a zone that is verifyable not >> correct. Any examples of signed RRs with an incorrect signature? > > I skipped this step: > > In the options section of named.conf you should have the directive > dnssec-lookaside auto; > This enables DNSSEC lookaside validation, which is necessary to bridge gaps (such as ac.uk) in the chain of trust between the root and lower-level signed zones > > with the result that www.ietf.org, www.iab.org, www.isc.org, all fail to validate. Not sure what the deal is there. Only www.nic.cat works. BTW, this is great: > > https://addons.mozilla.org/en-US/firefox/addon/64247/ > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > -- Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf