DNSSEC for NS delegation record
marka at isc.org
Tue Jul 17 22:29:10 UTC 2012
In message <349AF545493290449749762C5F03929A0CF3BCC5C3 at HQ-MB-08.ba.ad.ssa.gov>, "Khuu, Linh Contractor" writes:
> I have questions about how to configure the DNS with NS delegation record o=
> nce it's signed.
> My DNS server is the parent zone, for example, "testing.net" and is signed =
> with DNSSEC. My zone configuration is as follows:
> $TTL 36000
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key sign=
> ing key
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone sign=
> ing key
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-publi=
> shed zone signing key
> @ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 1=
> Testing.net. IN NS dns1.testing.net.
> Testing.net. IN NS dns2.testing.net.
> www IN A 18.104.22.168
> access IN NS sub1.testing.net.
> As of right now, the "sub1.testing.net" isn't DNSSEC compliant yet. We want=
> sub1.testing.net to be DNSSEC aware.
> My question is, do we (as parent of testing.net zone) need to generate the =
> key (KSK) and zone key (ZSK) for the "sub1.testing.net" or should "sub1.tes=
> ting.net" server will need to do that? If they generate the keys to sign al=
> l the records in their server, do they need to send us their key files? How=
> do we (as parent) to include those keys in our zone file?
The child generates its own keys and sends the DNSKEY and/or matching
DS record to the parent. It is the DS record that gets added to
the parent zone to make a secure delegation. DS records are computed
from the DNSKEY record.
> Linh Khuu
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users