DNSSEC: give KSK from my domain to parent zones
Anand Buddhdev
anandb at ripe.net
Wed Oct 3 19:31:12 UTC 2018
On 03/10/2018 21:24, Roberto Carna wrote:
Hi Roberto,
> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
> 9.10. I've created the KSK and ZSK too.
>
> Let's say my domain is "robert.com.uk".
>
> How do I have to give the KSK (key signing key) to my parent zones, let's
> say COM and UK ???
Typically, you won't submit the KSK, but a hash of it, called a DS
record. You can generate a DS record using the dnssec-dsfromkey tool,
which is part of BIND.
Your domain will be registered through some registrar. You need to log
into your registrar's web interface, and submit your DS record through
that interface. They will transmit the DS record to the COM or UK
registry which will publish the DS record.
> And what if COM or UK don't use DNSSEC at all ???
Well, COM and UK *are* signed. But if the parent isn't signed, then
there's no point in publishing DS records, because there's no way to
validate the chain of trust. In fact, in general unsigned parent zones
will not even accept DS records.
Regards,
Anand
More information about the bind-users
mailing list