DNSSEC for NS delegation record

Marc Lampo marc.lampo at eurid.eu
Wed Jul 18 06:34:28 UTC 2012


(the “easiest” way)

1)      The admins of sub1.testing.net. should generate ZSK and KSK.
à The “parent” cannot do this for the “child”

2)      You do not need the “key file*s*” of the child, in the parent.
If, by using the plural form, you mean both public (.key) and private
(.private) file.

3)      The easiest way : using the bind tools (and this is the bind
mailing list)
the child will find a “dsset-
” file after signing its zone
à the parent can include *this* file in its “testing.net” zone

Alternatively :
The child can provide the public part of the KSK
and, using the bind tool dnssec-dsfromkey the parent can obtain the DS
records itself.

4)      How to include :
you are already using “$INCLUDE” statements now, so, include the file with
DS info, I’d say.

One additional comment :

By signing the child – “sub1.testing.net.” – only, not much will happen,
You need to complete the chain of trust by also signing the parent –
“testing.net.” -
and having its DS information published in its parent – “net.” !

Kind regards,

Marc Lampo

Security Officer


From: Khuu, Linh Contractor [mailto:Linh.Khuu at ssa.gov]
Sent: dinsdag 17 juli 2012 16:36
To: 'bind-users at lists.isc.org'
Subject: DNSSEC for NS delegation record


I have questions about how to configure the DNS with NS delegation record
once it’s signed.

My DNS server is the parent zone, for example, “testing.net” and is signed
with DNSSEC. My zone configuration is as follows:

$TTL 36000

$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key
signing key

$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone
signing key

$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ;
pre-published zone signing key

@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600

Testing.net.         IN      NS      dns1.testing.net.

Testing.net.         IN      NS      dns2.testing.net.

www           IN      A

access         IN      NS       sub1.testing.net.

As of right now, the “sub1.testing.net” isn’t DNSSEC compliant yet. We
want sub1.testing.net to be DNSSEC aware.

My question is, do we (as parent of testing.net zone) need to generate the
key (KSK) and zone key (ZSK) for the “sub1.testing.net” or should
“sub1.testing.net” server will need to do that? If they generate the keys
to sign all the records in their server, do they need to send us their key
files? How do we (as parent) to include those keys in our zone file?


Linh Khuu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120718/54eff7f5/attachment.html>

More information about the bind-users mailing list