DNSSEC for NS delegation record

Khuu, Linh Contractor Linh.Khuu at ssa.gov
Tue Jul 17 14:36:28 UTC 2012


I have questions about how to configure the DNS with NS delegation record once it's signed.

My DNS server is the parent zone, for example, "testing.net" and is signed  with DNSSEC. My zone configuration is as follows:

$TTL 36000
$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-published zone signing key
@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 14400)

Testing.net.         IN      NS      dns1.testing.net.
Testing.net.         IN      NS      dns2.testing.net.
www           IN      A
access         IN      NS       sub1.testing.net.

As of right now, the "sub1.testing.net" isn't DNSSEC compliant yet. We want sub1.testing.net to be DNSSEC aware.

My question is, do we (as parent of testing.net zone) need to generate the key (KSK) and zone key (ZSK) for the "sub1.testing.net" or should "sub1.testing.net" server will need to do that? If they generate the keys to sign all the records in their server, do they need to send us their key files? How do we (as parent) to include those keys in our zone file?

Linh Khuu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120717/734ab783/attachment.html>

More information about the bind-users mailing list