DNSSEC DSSET & KEYSET
Chris Thompson
cet1 at cam.ac.uk
Thu Jan 28 18:14:48 UTC 2010
On Jan 28 2010, Joseph S D Yao wrote:
>On Thu, Jan 28, 2010 at 03:42:11PM +0000, Evan Hunt wrote:
>>
>> > Is there a tool/process to verify if the parenet domain has DSSET,
>> > KEYSET, or keys in place for the child domain? Thanks.
>>
>> "dig ds <yourdomain>", and check that a) DS records are returned, and
>> B) the first field of at least some of the DS records match the key ID of
>> the key-signing key for your zone. For example, isc.org is using key 12892:
>
>
>Apologies if I'm missing something, but wouldn't this read the DS
>records off the domain's own name servers, rather than the parent's?
>Shouldn't there be an additional @parent.name.server argument?
Not necessary if the nameserver you are sending the dig request to
is DNSSEC-aware, and therefore following RFC 4035 section 3.1.4.1.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list