DNSSEC: give KSK from my domain to parent zones

Roberto Carna robertocarna36 at gmail.com
Fri Oct 5 16:14:11 UTC 2018


Thanks a lot to all of you....Now I understand.

But when I check for the DNSEC support with:

dig com.uk +dnssec +multi

I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at all....hasn't it?

; <<>> DiG 9.10.3-P4-Debian <<>> com.uk +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.uk.                        IN A

;; AUTHORITY SECTION:
uk.                     1548 IN SOA dns1.nic.uk. hostmaster.nic.uk. (
                                1403852443 ; serial
                                7200       ; refresh (2 hours)
                                900        ; retry (15 minutes)
                                2419200    ; expire (4 weeks)
                                10800      ; minimum (3 hours)
                                )
uk.                     1548 IN RRSIG SOA 8 1 172800 (
                                20181019160738 20181005150738 43056 uk.
                                obD8WjHpNUB/GeEdlp2SaJBsp9D0N03cLTCpEn+0UpQF
                                V75NiX509EzgTeT9Eh0du0kIptjMZKyDON/5ZN7p21BI
                                E3srTdrMVTNyNqAEa1SZWlTBWcs4FNzFoVkJVfJXwHpF
                                IDF2ZLlNxjlP9xgWr+YKcEtqUTYF4lfscx5tOF8= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
                                20181018194223 20181004184445 43056 uk.
                                RH6cfZjzah93ucxwynKropExMhvWznqV4ySiWAsWLw3T
                                3IaCQoF/rS5Np/PwcuIzZ5ZLR0dJ/56prKWSKA6l5LBz
                                4dQWvlceb8oY3o1WvBXn/+UjptIMP87LPtNLxU/JsrGJ
                                YpO6qsBZXTerhmEAAZi+9tLBCo5dW5CO8n5PlP0= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN NSEC3 1 1 0 - (
                                M4FDARQNDI0P0UGAD29OKGNPRJKAE5SP
                                NS DS RRSIG )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
                                20181019000937 20181004233936 43056 uk.
                                ca9n8B+3hjnDKh8KHsM5gDGYq9bJ4Rjh/EQ7fVSO4FK4
                                VDDFtzhDvQySLfudSq3P0pGdqye/BLjTgC6p4pNUeFhL
                                SPjJsjcA5SvSha7ZNGgAjjdC4t7Sg0yyGnLxfx129lX2
                                AbhbpJUjCQ5eX6U56t2IH5/8Dg8uAPOFUF6Ogmk= )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN NSEC3 1 1 0 - (
                                U1LG7J6JO1NFSU55LON2UMGEUJO912TU
                                NS SOA RRSIG DNSKEY NSEC3PARAM
                                TYPE65534 )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
                                20181018165433 20181004163523 43056 uk.
                                Tt5nrfM6nuJOgMPjULGi2WIN5RB3EZmv+nqODimBe5x8
                                9axQltyX7OR8iHNR6DzQl33aABgfvC/htUpKmtvOlQ6P
                                6V+2f/1I021Qcnuo7thu3V3a+ad1XFfHp6IqpEHi0Qxz
                                H4OsgvzFoycF+v0xpSr4ZSeuElJ0whKBlGWKAuM= )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN NSEC3 1 1 0 - (
                                UJSIFQNCG7CTSHF49P4L7HNBMPOSGRMB
                                NS DS RRSIG )

;; Query time: 0 msec
;; SERVER: 172.17.10.25#53(172.17.10.25)
;; WHEN: Fri Oct 05 13:12:28 -03 2018
;; MSG SIZE  rcvd: 1011


Regards!!!


El vie., 5 oct. 2018 a las 12:58, Chris Thompson (<cet1 at cam.ac.uk>)
escribió:

> On Oct 4 2018, Mark Elkins wrote:
>
> >On 10/04/2018 05:03 PM, Roberto Carna wrote:
> [...]
> >> I have two DNS servers running BIND 9.10, they have delegated my own
> >> domain, let's say "robert.com.uk <http://robert.com.uk>" and some
> >> other domains from our clients, let's say:
> >>
> >> client1.com.uk <http://client1.com.uk>
> >> client2.edu.uk <http://client2.edu.uk>
> >> client3.info.uk <http://client3.info.uk>
> >>
> >> Can I sign theses client zones with my ZSK, or do I have to have a
> >> different key for each domain?
> >
> >I believe common practise is to create separate KSK and ZSK keys for
> >each domain - so each domain will have their own DS records in the
> >parent. This way, if one of the clients moves their domain to a new DNS
> >provider - there is no security conflict in the move from shared keys.
>
> Even if you make the (RDATA of) the KSKs identical for the different zones
> the DS records you will need to insert into the parent zones will be
> different, because the hashing algorithm includes the KSK owner name
> (i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
>
> Similarly using ZSKs with identical RDATA in the different zones will
> not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
> in different zones), because the full owner name is included in the
> hashing input.
>
> >(Use a different Key)
>
> Yes. Because there are no advantages whatsoever in doing otherwise!
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181005/c4fa567c/attachment-0001.html>


More information about the bind-users mailing list