DNSSEC: give KSK from my domain to parent zones

Mark Elkins mje at posix.co.za
Thu Oct 4 19:16:57 UTC 2018 


On 10/04/2018 05:03 PM, Roberto Carna wrote:
> Hello, thanks to both of you for your help. Now I understand I have to
> contact my registrar in order to give it the DS of the KSK.
>
> Please I have a last question:
>
> I have two DNS servers running BIND 9.10, they have delegated my own
> domain, let's say "robert.com.uk <http://robert.com.uk>" and some
> other domains from our clients, let's say:
>
> client1.com.uk <http://client1.com.uk>
> client2.edu.uk <http://client2.edu.uk>
> client3.info.uk <http://client3.info.uk>
>
> Can I sign theses client zones with my ZSK, or do I have to have a
> different key for each domain?

I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.

(Use a different Key)

> And do I have to tell my clients I will sign their zones or it is
> transparent for them?

DNSSEC is a good thing - but I'd suggest telling the clients that this
is happening. DNSSEC usually introduces the need to have extra DNS
actions happen - even on an otherwise static Zone. Thus - there is more
that might possibly break. On the other hand, it make resolving items in
that zone far more secure and allows for newer possibilities such as
TLSA records for Web and Mail services. I believe the customer should be
made aware of all these pros and cons.

(Yes)

> Thanks a lot again, regards !!!
>
>
>
> El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<marka at isc.org
> <mailto:marka at isc.org>>) escribió:
>
>     You give the matching DS record via your registrar much the same
>     way as you do the NS RRset or glue address records.  If your
>     registrar doesn’t support DNSSEC you will need to change registrars.
>
>     If your parent zone uses CDS or CDNSKEY then publish those records
>     at the zone apex. 
>
>     If your parent zone is not signed then start complaining.
>
>     -- 
>     Mark Andrews
>
>     On 4 Oct 2018, at 05:24, Roberto Carna <robertocarna36 at gmail.com
>     <mailto:robertocarna36 at gmail.com>> wrote:
>
>>     Dear people, I have DNSSEC implemented in my authoritative domain
>>     in BIND 9.10. I've created the KSK and ZSK too.
>>
>>     Let's say my domain is "robert.com.uk <http://robert.com.uk>".
>>
>>     How do I have to give the KSK (key signing key) to my parent
>>     zones, let's say COM and UK ???
>>
>>     And what if COM or UK don't use DNSSEC at all ???
>>
>>     Thanking in advance,
>>
>>     Robert
>>     _______________________________________________
>>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>     unsubscribe from this list
>>
>>     bind-users mailing list
>>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>>     https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181004/85418d9b/attachment.html>

More information about the bind-users mailing list