DNSSEC not populating parent zone files with DS records

Tony Finch dot at dotat.at
Mon Oct 3 13:59:38 UTC 2011

Michael Sinatra <michael at rancid.berkeley.edu> wrote:
> There are ways of getting the DS records into the zone(s).  Here are some
> steps that I took on some test zones:

Alternatively, set "update-policy local;" on your parent zone and use this
little pipeline on the master server. Substitute $parent and $child as

  dig +noall +answer dnskey $child |
  dnssec-dsfromkey -f /dev/stdin $child |
  (echo "zone $parent"; sed 's/^/update add /'; echo "send") |
  nsupdate -l

