DNSSEC DSSET & KEYSET

Evan Hunt each at isc.org
Thu Jan 28 15:42:11 UTC 2010


> Is there a tool/process to verify if the parenet domain has DSSET,
> KEYSET, or keys in place for the child domain?  Thanks.

"dig ds <yourdomain>", and check that a) DS records are returned, and
B) the first field of at least some of the DS records match the key ID of
the key-signing key for your zone.  For example, isc.org is using key 12892:

$ dig +short ds isc.org
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

...so we're fine.

And of course, you could also configure a validating resolver (or drill
or dig +sigchase) with a trust anchor for the parent, and make sure the
validation process works.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list