Setup a DNSSEC with my own public and private key

[Jim Reid]

>>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:

    Manuel> Hi and thanks both Jim and Edward.  Currently, the
    Manuel> dnssec-* tools permit to sign the zones and authenticate
    Manuel> the source of a dynamic update. The user can check this
    Manuel> signature for testing out the integrity/authenticity of
    Manuel> the responses but, how the user can be sure that this
    Manuel> signature is of trust??

I'm not sure I understand the question. The decision about trusting
(or not) a SIG(0) key pair is simple. If the DNS administrator trusts
a particular key, he/she puts it in the zone file and has an
allow-update{} or update-policy{} clause which determines what update
requests are allowed or denied with that key. If a key isn't trusted,
the DNS administrator simply shouldn't be introducing it to their name
servers. Except perhaps to put it in an ACL which defines clients that
aren't allowed to update anything. Which isn't really necessary since
the BIND9 default is to reject all dynamic updates except for those
that are explicitly allowed.

    Manuel> For this, I'd like to establish my keys where the PKI
    Manuel> provides this trust.

Hmm. I can't see how that could work unless the name server was able
to authenticate things like X.509 certificates. Good luck writing up
an internet draft for that and steering it through the IETF. :-)