On Mon, 2006-02-27 at 14:30 +0300, Max Tulyev wrote:
Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones.
It's like black magic :(
localhost bind # ping dlv.verisignlab.com ping: unknown host dlv.verisignlab.com
try adding an 's'. The above is a very nice example of a domainsquatter (also something where neither dnssec or tls can't help as anyone can register any domain) $ dig -t any dlv.verisignlabs.com ;; Truncated, retrying in TCP mode. [..] dlv.verisignlabs.com. 86400 IN NS ns1.dlv.verisignlabs.com. dlv.verisignlabs.com. 3600 IN DNSKEY 256 3 5 AQOlH7LDa3Sy/rK +WyqydkS94p1hWWhEyTdZhxwuz/1zPGqh8pc8lXNj tOqcVXNSQX1XCSJPhW8XylXlq8gLlyRiVUs+TBoKrGYs7VARuLqZZDW4 Utu +VuDsTCjxjtAgxH15KfJbmnpMP3ffQvDHzyj8F2Dw6aaLHAwot3eI YWOy7w== [..]
localhost bind # ping dnssec.iks-jena.de ping: unknown host dnssec.iks-jena.de
Doesn't have an A record, but does have a large number of others. Use the 'dig'. Greets, Jeroen