© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The current state of the DNS is that the root zone is signed, and EVERYTHING delegated from it is signed by the root zone. Once you get below that, the lack of signatures on a zone is left as an exercise for the admins of that zone. (example.com can be delegated from the [signed] COM zone without being signed, and that's all good and fine and DNSSEC=auto handles that just fine.)
What doesn't work is when the admin chooses to use an undelegated top-level domain (TLD), which won't be signed by the root key, and therefore fails DNSSEC validation.
Especially given the recent changes in what constitutes a valid TLD, the admin choosing to use a TLD oftheir own choosing is hoping from their hearts that there will never be sufficient demand for that TLD to cause it to be creeated and subdomains sold therein by various registries. Because when that happens, and their users want to access things in that newly-created TLD, then they will get to go and change all of their domain names to avoid that.
Properly delegating children (whether that is published publicly or not) from domain names that are actually under the control of the admin is the only sane way of doing this.