Secure Zone

Click on the red underlined text to get to the source

... support the additional resource types (see Section 8). The one exception is that CNAME referrals from a secure zone can not be authenticated if they are from non-security ...

... zone KEY RR MUST occur at the apex node of a secure zone and at every leaf node which is a delegation ...

... node which is a delegation point (and thus the same owner name as the apex of a subzone) within a secure zone. ...

... information if space is avilable. There will always be at least one such KEY RR in a secure zone, even if it has the no-key type value to indicate that the subzone is insecure. If not all additional ...

... In a secure zone, a resolver can query for the initial NXT associated ...

... and, if the zone is not root, for its superzone. Every authoritative secure zone server MUST also include the KEY RR for a super-zone signed by the secure zone ...

... secure zone server MUST also include the KEY RR for a super-zone signed by the secure zone via a keyfile directive. This makes it possible to climb the tree of zones if one starts ...

... A resolver should keep track of the number of successive secure zones traversed from a starting point to any secure zone ...

... secure zones traversed from a starting point to any secure zone it can reach. In general, the lower such a distance number is, the greater the confidence in the data. Data configured via a boot file directive ...

... A security conscious resolver should completely refuse to step from a secure zone into a non-secure zone unless the non-secure zone is ...

... counterfeit. The "distance" to data in such zones or zones reached via such zones could be set to 512 or more as this exceeds the largest possible distance through secure zones in the DNS. Nevertheless, continuing to apply secure checks within "secure" zones ...

... NXT RRs. Any secondary, caching, or other server for a secure zone MUST be at least minimally compliant and even then some things, such as secure CNAMEs ...

... RRs at delegation points. Primary servers for secure zones MUST be fully compliant and for completely successful secure operation, all secondary, caching, and other servers handling the zone SHOULD ...