DNSSEC for NS delegation record

Mark Andrews marka at isc.org
Tue Jul 17 22:29:10 UTC 2012

In message <349AF545493290449749762C5F03929A0CF3BCC5C3 at HQ-MB-08.ba.ad.ssa.gov>, "Khuu, Linh Contractor" writes:
> Hi,
> I have questions about how to configure the DNS with NS delegation record o=
> nce it's signed.
> My DNS server is the parent zone, for example, "testing.net" and is signed =
>  with DNSSEC. My zone configuration is as follows:
> $TTL 36000
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key sign=
> ing key
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone sign=
> ing key
> $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-publi=
> shed zone signing key
> @ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 1=
> 4400)
> Testing.net.         IN      NS      dns1.testing.net.
> Testing.net.         IN      NS      dns2.testing.net.
> www           IN      A
> access         IN      NS       sub1.testing.net.
> As of right now, the "sub1.testing.net" isn't DNSSEC compliant yet. We want=
>  sub1.testing.net to be DNSSEC aware.
> My question is, do we (as parent of testing.net zone) need to generate the =
> key (KSK) and zone key (ZSK) for the "sub1.testing.net" or should "sub1.tes=
> ting.net" server will need to do that? If they generate the keys to sign al=
> l the records in their server, do they need to send us their key files? How=
>  do we (as parent) to include those keys in our zone file?

The child generates its own keys and sends the DNSKEY and/or matching
DS record to the parent.  It is the DS record that gets added to
the parent zone to make a secure delegation.  DS records are computed
from the DNSKEY record.

> Thanks,
> Linh Khuu
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list