DNSSEC: give KSK from my domain to parent zones
Roberto Carna
robertocarna36 at gmail.com
Fri Oct 5 16:14:11 UTC 2018
Thanks a lot to all of you....Now I understand.
But when I check for the DNSEC support with:
dig com.uk +dnssec +multi
I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at all....hasn't it?
; <<>> DiG 9.10.3-P4-Debian <<>> com.uk +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.uk. IN A
;; AUTHORITY SECTION:
uk. 1548 IN SOA dns1.nic.uk. hostmaster.nic.uk. (
1403852443 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
2419200 ; expire (4 weeks)
10800 ; minimum (3 hours)
)
uk. 1548 IN RRSIG SOA 8 1 172800 (
20181019160738 20181005150738 43056 uk.
obD8WjHpNUB/GeEdlp2SaJBsp9D0N03cLTCpEn+0UpQF
V75NiX509EzgTeT9Eh0du0kIptjMZKyDON/5ZN7p21BI
E3srTdrMVTNyNqAEa1SZWlTBWcs4FNzFoVkJVfJXwHpF
IDF2ZLlNxjlP9xgWr+YKcEtqUTYF4lfscx5tOF8= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018194223 20181004184445 43056 uk.
RH6cfZjzah93ucxwynKropExMhvWznqV4ySiWAsWLw3T
3IaCQoF/rS5Np/PwcuIzZ5ZLR0dJ/56prKWSKA6l5LBz
4dQWvlceb8oY3o1WvBXn/+UjptIMP87LPtNLxU/JsrGJ
YpO6qsBZXTerhmEAAZi+9tLBCo5dW5CO8n5PlP0= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN NSEC3 1 1 0 - (
M4FDARQNDI0P0UGAD29OKGNPRJKAE5SP
NS DS RRSIG )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181019000937 20181004233936 43056 uk.
ca9n8B+3hjnDKh8KHsM5gDGYq9bJ4Rjh/EQ7fVSO4FK4
VDDFtzhDvQySLfudSq3P0pGdqye/BLjTgC6p4pNUeFhL
SPjJsjcA5SvSha7ZNGgAjjdC4t7Sg0yyGnLxfx129lX2
AbhbpJUjCQ5eX6U56t2IH5/8Dg8uAPOFUF6Ogmk= )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN NSEC3 1 1 0 - (
U1LG7J6JO1NFSU55LON2UMGEUJO912TU
NS SOA RRSIG DNSKEY NSEC3PARAM
TYPE65534 )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018165433 20181004163523 43056 uk.
Tt5nrfM6nuJOgMPjULGi2WIN5RB3EZmv+nqODimBe5x8
9axQltyX7OR8iHNR6DzQl33aABgfvC/htUpKmtvOlQ6P
6V+2f/1I021Qcnuo7thu3V3a+ad1XFfHp6IqpEHi0Qxz
H4OsgvzFoycF+v0xpSr4ZSeuElJ0whKBlGWKAuM= )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN NSEC3 1 1 0 - (
UJSIFQNCG7CTSHF49P4L7HNBMPOSGRMB
NS DS RRSIG )
;; Query time: 0 msec
;; SERVER: 172.17.10.25#53(172.17.10.25)
;; WHEN: Fri Oct 05 13:12:28 -03 2018
;; MSG SIZE rcvd: 1011
Regards!!!
El vie., 5 oct. 2018 a las 12:58, Chris Thompson (<cet1 at cam.ac.uk>)
escribió:
> On Oct 4 2018, Mark Elkins wrote:
>
> >On 10/04/2018 05:03 PM, Roberto Carna wrote:
> [...]
> >> I have two DNS servers running BIND 9.10, they have delegated my own
> >> domain, let's say "robert.com.uk <http://robert.com.uk>" and some
> >> other domains from our clients, let's say:
> >>
> >> client1.com.uk <http://client1.com.uk>
> >> client2.edu.uk <http://client2.edu.uk>
> >> client3.info.uk <http://client3.info.uk>
> >>
> >> Can I sign theses client zones with my ZSK, or do I have to have a
> >> different key for each domain?
> >
> >I believe common practise is to create separate KSK and ZSK keys for
> >each domain - so each domain will have their own DS records in the
> >parent. This way, if one of the clients moves their domain to a new DNS
> >provider - there is no security conflict in the move from shared keys.
>
> Even if you make the (RDATA of) the KSKs identical for the different zones
> the DS records you will need to insert into the parent zones will be
> different, because the hashing algorithm includes the KSK owner name
> (i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
>
> Similarly using ZSKs with identical RDATA in the different zones will
> not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
> in different zones), because the full owner name is included in the
> hashing input.
>
> >(Use a different Key)
>
> Yes. Because there are no advantages whatsoever in doing otherwise!
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181005/c4fa567c/attachment-0001.html>
More information about the bind-users
mailing list