Hi Leen, Paul, On 8/23/2012 2:14 AM, Leen Besselink wrote: > > You'll need a stub-zone and (auto-)trust-anchor for > each TLD that supports DNSSEC. > On 8/23/2012 3:40 PM, Paul Wouters wrote: > >> if 42 TLD supports/has DNSSEC components, then >> how can i use them ? or >> how to enable DNSSEC for 42 TLD ? > > You can preload any dnssec key with trusted-keys-file: > What you are doing (at the root) is not much different > from adding "private views" higher up. So googling for > "bind views" might help you as well. For example, let us assume, '42' TLD has it's own DS, RRSIG, etc DNSSEC records for the "42." TLD, then doing such would be suffice in service.conf or in unbound.conf ? : # removed or 'commented-out' the below line #domain-insecure: "42" stub-zone: name: "42" # http://42registry.org/ stub-addr: 220.127.116.11 # name / DNS Srvr stub-addr: 18.104.22.168 stub-addr: 22.214.171.124 # test with "search.42" trust-anchor-file: "C:\Program Files\Unbound\42registry.42.key" (Now hypothetically) if cesidianRoot signs all of their 84 TLDs which are under their authority, with similar/same key, then, do i have to add 84 "trust-anchor-file: "filename" lines ? Thanks for all of your help on these. Bry8Star.