US government mandates? use of DNSSEC by federal agencies

Leo Bicknell bicknell at
Wed Aug 27 12:24:05 CDT 2008

In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote:
> Note that if you do turn on DNSSEC, you're going to have to make sure  
> the trust anchors you configure get updated.  Trust anchors have a  
> validity period and if they're not updated before they expire  
> validation will fail (which will appear to users of the resolver  
> pretty much like a DNS failure for all the names in the signed zone).   
> "Be careful out there."

While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431.  You can run
your own setup, or trust someone to do it for you.  Note that ISC
runs a DLV registry, if you wanted to trust them:

       Leo Bicknell - bicknell at - CCIE 3440
        PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list