shared KSK for static zone and dynamic subzone?
/dev/rob0
rob0 at gmx.co.uk
Tue Apr 26 01:13:35 UTC 2011
I feel like I am understanding the "how" of this DNSSEC stuff, but
I'm not so sure about some of the "whys". This post is asking a bit
of both.
I've got a static zone, nodns4.us., which is now signed. It's the
parent zone to dynamic.nodns4.us., a dynamic zone. Is there any
reason why I can't use the parent zone's KSK for the dynamic zone?
Better yet, is there a reason why I shouldn't?
If I do, what (if anything) does the parent zone need as DS for the
dynamic zone? DNSKEY (the .key file as generated by dnssec-keygen(8))
goes into the dynamic zone via nsupdate(8) as per the
bind-9.8.0/arm/Bv9ARM.ch04.html#id2607351 documentation.
If using the same KSK, is that entered as a DNSKEY into the dynamic
zone also? But of course as dynamic.nodns4.us. rather than the name
as which it was generated, nodns4.us. (Maybe this is the problem?)
I tried adding the dsset-nodns4.us. to nodns4.us as DS for
dynamic.nodns4.us. But AFAICT the signature verification is failing.
I bet my idea about DS was wrong. But my idea about no DS was also
apparently wrong, because signatures didn't verify before adding DS
records to the parent.
How/where do you get these DS records with dynamic signing? My
dsset-nodns4.us. was generated by dnssec-signzone(8). I see no
mention in the ARM about this.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
More information about the bind-users
mailing list