# DNSSEC keys version 1.18, Mar 14 2009
# by Paul Wouters <[email protected]>
# http://www.xelerance.com/software/dnssec-conf/
#
# This file contans notes on where and why we got certain DNSSEC keys
# This is required to prime DNSSEC aware caching resolvers such as Bind or Unbound
# Only KSK's are obtained for loading into the resolver. ZSK's are ignored.
#
# production - known good keys. Verified by a human. Usually updates are
#              posted on the DNS related mailinglists (dnsop, dnsex,
#              dnssec-deployment, namedroppers and dedicates lists for TLD's)
# testing    - testbed keys. These might affect production. Should not be
#              enabled unless you know what you're doing
# harvest    - keys were obtained querying the DNS. Unverified and fully
#              automated process. Use at own risk. Mostly used to detect
#              new keys that were not announced anywhere

# For TLD DNSSEC keys, please see http://www.xelerance.com/dnssec/

# in-addr.arpa. itself is not signed, but some domains inside it are:
# RIPE's in-addr.arpa. signed zones are obtained from RIPE's https server
# See https://www.ripe.net/projects/disi//keys/
#
# e164.arpa. (ENUM) is obtained from RIPE's https server
# All signed subdomains in e164.arpa. are properly delegated with DS records,
# and do not need a separate trust anchor in a resolver.
# See: http://www.ripe.net/enum/
#
# IDN test domains were harvested
# See http://www.icann.org/en/announcements/announcement-2-19jun07.htm
#
# dlv.isc.org
# ISC DLV Registry
# See https://secure.isc.org/index.pl?/ops/dlv/index.php

# The Root zone (test) and other test keys: http://ns.iana.org/
# disabled because you will have to resolve via their nameserver for
# these keys to work.