Problem with DNSSEC signing zone

Spain, Dr. Jeffry A. spainj at
Fri Jul 20 14:23:58 UTC 2012

> all this step has been well done, but the last step:
> Generate DS records and provide them to your registrar.
> has not been fluent for me. I found how can i provide key to the registrar i used this command:
> dnssec-dsfromkey -2 KSK.key  "is it the good way to do?"

That command will generate the DS record for you. The procedure for getting the DS record into the parent zone, in this case, depends on your DNS registrar. For example, I use, and on their domain management website, there is a "Manage DS records" page where you can paste in the key digest and certain other information. Not all registrars support DNSSEC DS record management, so you may have to transfer your domain to one who does. See for a list.

> Please tell me how can i bring down this matter and have my AD flag when i made my dig.
The key point to recognize, as stated previously in Carsten Strotmann's post, is that you have to query a DNSSEC-enabled recursive resolver to possibly get an AD flag returned. Your own authoritative name server will never return an AD flag. See for one that is available publicly. Also you can test your zone at to see if there are any missing links in your chain of trust from the DNS root.

Best Regards, Jeff.

More information about the bind-users mailing list