DNSSEC not populating parent zone files with DS records
owens at nysernet.org
Tue Oct 4 19:24:57 UTC 2011
On Tue, Oct 04, 2011 at 06:31:03PM +0000, Raymond Drew Walker wrote:
> I have been unable to determine the correct method to add a DS record by
> hand. The ultimate goal would be the automation of this process.
Generate the DS record with dnssec-dsfromkey, cut and paste it into the zone file, then re-sign the zone (or add it with nsupdate, or however you put records into the nau.edu zone).
> Am I also missing somewhere in the RFC where NS records of children zones
> need be populated in the parent? Is this something that has changed with
> the addition of DNSSEC?
AFAIK that's always been the case; RFC1034 references it:
"As the last installation step, the delegation NS RRs and glue RRs necessary to make the delegation effective should be added to the parent zone."
More information about the bind-users