DNSSEC and child zones on same authoritative NS. Expert help needed.

Mark Andrews marka at isc.org
Tue Mar 16 02:29:50 UTC 2010


In message <4B9EE17D.8020802 at gmail.com>, Gary Wallis writes:
> Let's say I have this setup :
> 
> BIND 9.4 named.conf includes a master.zones file with the following:
> 
> ...
>          zone "ns1.yourdomain.com" {
>                  type master;
>                  file "master/external/n/ns1.yourdomain.com.signed";
>          };
> 
>          zone "ns2.yourdomain.com" {
>                  type master;
>                  file "master/external/n/ns2.yourdomain.com.signed";
>          };
> 
>          zone "yourdomain.com" {
>                  type master;
>                  file "master/external/y/yourdomain.com.signed";
>          };
> ...
> 
> More background for question below:
> 
> The yourdomain.com is I gather the zone APEX for all featured zones 
> above. (Is this the correct use of the term APEX?)

Parent.
 
> I am learning via trial and error about transitioning from DNS to DNSSEC 
> and we have these child zones (is ns1.yourdomain.com really a child 
> zone, as regards the setup above?) that currently have precedence over 
> the parent zone yourdomain.com for conflicting A records. For example:
> 
> If
> 
> ns1 A 123.123.123.123
> 
> is placed in yourdomain.com zone.
> 
> And a similar RR is placed in ns1.yourdomain.com zone, like:
> 
> ns1 IN A 10.0.0.1
> 
> And named reloaded.
> 
> dig @localhost ns1.yourdomain.com A +short
> 
> will return 10.0.0.1, the parent A RR is ignored.
> 
> Questions:
> 
> If I sign these three zones with their own KSK and ZSK pairs will DNSSEC 
> be broken? Or will it work as above?

Assuming it's all fully delegated everything will work.
 
> Would the chain of trust be broken, unless we provide the external 
> parent (in this example case .com TLD ) with all public keys? (Or the 
> keys wrapped in a single key?)

You provide the parent (COM) with the DS records for the child
(yourdomain.com) zone.
 
> Is this a case where we would use DS RRs or some similar scheme in the 
> apex zone?

You add DS records for the grand child (ns1.yourdomain.com) zone to the
child (yourdomain.com) zone.
 
> Or should we just not allow child zones at all on our authoritative NS? 
> That of course would make this mess (and my confusion about it) go away.

The answer to that is depends on *why* you have these child zones.

> But it would be great to hear from a BIND expert about this. And please 
> correct my probable confusion and incorrect use of DNSSEC jargon.
> 
> Best regards,
> Gary
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list