DNSSEC for NS delegation record
marc.lampo at eurid.eu
Wed Jul 18 06:34:28 UTC 2012
(the easiest way)
1) The admins of sub1.testing.net. should generate ZSK and KSK.
à The parent cannot do this for the child
2) You do not need the key file*s* of the child, in the parent.
If, by using the plural form, you mean both public (.key) and private
3) The easiest way : using the bind tools (and this is the bind
the child will find a dsset-
file after signing its zone
à the parent can include *this* file in its testing.net zone
The child can provide the public part of the KSK
and, using the bind tool dnssec-dsfromkey the parent can obtain the DS
4) How to include :
you are already using $INCLUDE statements now, so, include the file with
DS info, Id say.
One additional comment :
By signing the child sub1.testing.net. only, not much will happen,
You need to complete the chain of trust by also signing the parent
and having its DS information published in its parent net. !
From: Khuu, Linh Contractor [mailto:Linh.Khuu at ssa.gov]
Sent: dinsdag 17 juli 2012 16:36
To: 'bind-users at lists.isc.org'
Subject: DNSSEC for NS delegation record
I have questions about how to configure the DNS with NS delegation record
once its signed.
My DNS server is the parent zone, for example, testing.net and is signed
with DNSSEC. My zone configuration is as follows:
$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ;
pre-published zone signing key
@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600
Testing.net. IN NS dns1.testing.net.
Testing.net. IN NS dns2.testing.net.
www IN A 22.214.171.124
access IN NS sub1.testing.net.
As of right now, the sub1.testing.net isnt DNSSEC compliant yet. We
want sub1.testing.net to be DNSSEC aware.
My question is, do we (as parent of testing.net zone) need to generate the
key (KSK) and zone key (ZSK) for the sub1.testing.net or should
sub1.testing.net server will need to do that? If they generate the keys
to sign all the records in their server, do they need to send us their key
files? How do we (as parent) to include those keys in our zone file?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users