DNSSEC for NS delegation record
Khuu, Linh Contractor
Linh.Khuu at ssa.gov
Tue Jul 17 14:36:28 UTC 2012
I have questions about how to configure the DNS with NS delegation record once it's signed.
My DNS server is the parent zone, for example, "testing.net" and is signed with DNSSEC. My zone configuration is as follows:
$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-published zone signing key
@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 14400)
Testing.net. IN NS dns1.testing.net.
Testing.net. IN NS dns2.testing.net.
www IN A 22.214.171.124
access IN NS sub1.testing.net.
As of right now, the "sub1.testing.net" isn't DNSSEC compliant yet. We want sub1.testing.net to be DNSSEC aware.
My question is, do we (as parent of testing.net zone) need to generate the key (KSK) and zone key (ZSK) for the "sub1.testing.net" or should "sub1.testing.net" server will need to do that? If they generate the keys to sign all the records in their server, do they need to send us their key files? How do we (as parent) to include those keys in our zone file?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users