<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Arial Narrow";
        panose-1:2 11 6 6 2 2 2 3 2 4;}
@font-face
        {font-family:Georgia;
        panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
        {font-family:"Lucida Console";
        panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.emailquote, li.emailquote, div.emailquote
        {mso-style-name:emailquote;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:1.0pt;
        border:none;
        padding:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:151525519;
        mso-list-type:hybrid;
        mso-list-template-ids:1433319944 135462929 135462937 135462939 135462927 135462937 135462939 135462927 135462937 135462939;}
@list l0:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0cm;}
ul
        {margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL-BE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(the “easiest” way)<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The admins of sub1.testing.net. should generate ZSK and KSK.<br></span><span lang=EN-US style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>à</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> The “parent” cannot do this for the “child”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You do <b>not</b> need the “key file*s*” of the child, in the parent.<br>If, by using the plural form, you mean both public (.key) and private (.private) file.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>3)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The easiest way : using the bind tools (and this is the bind mailing list)<br> the child will find a “dsset-…” file after signing its zone<br> </span><span lang=EN-US style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>à</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> the parent can include *<b>this</b>* file in its “testing.net” zone<br><br>Alternatively :<br>The child can provide the public part of the KSK<br>and, using the bind tool <i>dnssec-dsfromkey</i> the parent can obtain the DS records itself.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>4)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How to include :<br>you are already using “$INCLUDE” statements now, so, include the file with DS info, I’d say.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>One additional comment :<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>By signing the child – “sub1.testing.net.” – only, not much will happen, for DNSSEC.<br>You need to complete the chain of trust by also signing the parent – “testing.net.” -<br>and having its DS information published in its parent – “net.” !<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=IT style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>Marc Lampo</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><i><span lang=IT style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>Security Officer</span></i><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><i><span lang=IT style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'> </span></i><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>EUR<i>id</i></span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Khuu, Linh Contractor [mailto:Linh.Khuu@ssa.gov] <br><b>Sent:</b> dinsdag 17 juli 2012 16:36<br><b>To:</b> 'bind-users@lists.isc.org'<br><b>Subject:</b> DNSSEC for NS delegation record<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>Hi,</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Georgia","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>I have questions about how to configure the DNS with NS delegation record once it’s signed.</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Georgia","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>My DNS server is the parent zone, for example, “testing.net” and is signed  with DNSSEC. My zone configuration is as follows:</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>$TTL 36000</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key signing key</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone signing key </span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-published zone signing key</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 14400)</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Georgia","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>Testing.net.         IN      NS      dns1.testing.net.</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>Testing.net.         IN      NS      dns2.testing.net.</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>www           IN      A       168.168.168.168</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>access         IN      NS       sub1.testing.net.</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Georgia","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>As of right now, the “sub1.testing.net” isn’t DNSSEC compliant yet. We want sub1.testing.net to be DNSSEC aware. </span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Georgia","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>My question is, do we (as parent of testing.net zone) need to generate the key (KSK) and zone key (ZSK) for the “sub1.testing.net” or should “sub1.testing.net” server will need to do that? If they generate the keys to sign all the records in their server, do they need to send us their key files? How do we (as parent) to include those keys in our zone file? </span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Georgia","serif"'>Thanks,</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:blue'>Linh Khuu</span></i><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-size:10.0pt;font-family:"Georgia","serif"'><o:p></o:p></span></p></div></div></body></html>