<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 10/04/2018 05:03 PM, Roberto Carna
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAG2Qp6tA_tnhGPJJLyR2uF6dywFkC=msA34J14=VUUJHwhXFLA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">Hello, thanks to both of you for your help. Now I
understand I have to contact my registrar in order to give it
the DS of the KSK.
<div><br>
</div>
<div>Please I have a last question:</div>
<div><br>
</div>
<div>I have two DNS servers running BIND 9.10, they have
delegated my own domain, let's say "<a
href="http://robert.com.uk" moz-do-not-send="true">robert.com.uk</a>"
and some other domains from our clients, let's say:</div>
<div><br>
</div>
<div><a href="http://client1.com.uk" moz-do-not-send="true">client1.com.uk</a></div>
<div><a href="http://client2.edu.uk" moz-do-not-send="true">client2.edu.uk</a></div>
<div><a href="http://client3.info.uk" moz-do-not-send="true">client3.info.uk</a></div>
<div><br>
</div>
<div>Can I sign theses client zones with my ZSK, or do I have to
have a different key for each domain?</div>
</div>
</blockquote>
<br>
I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new
DNS provider - there is no security conflict in the move from shared
keys.<br>
<br>
(Use a different Key)<br>
<br>
<blockquote type="cite"
cite="mid:CAG2Qp6tA_tnhGPJJLyR2uF6dywFkC=msA34J14=VUUJHwhXFLA@mail.gmail.com">
<div dir="ltr">
<div>And do I have to tell my clients I will sign their zones or
it is transparent for them?</div>
</div>
</blockquote>
<br>
DNSSEC is a good thing - but I'd suggest telling the clients that
this is happening. DNSSEC usually introduces the need to have extra
DNS actions happen - even on an otherwise static Zone. Thus - there
is more that might possibly break. On the other hand, it make
resolving items in that zone far more secure and allows for newer
possibilities such as TLSA records for Web and Mail services. I
believe the customer should be made aware of all these pros and
cons.<br>
<br>
(Yes)<br>
<br>
<blockquote type="cite"
cite="mid:CAG2Qp6tA_tnhGPJJLyR2uF6dywFkC=msA34J14=VUUJHwhXFLA@mail.gmail.com">
<div dir="ltr">
<div>Thanks a lot again, regards !!!</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">El mié., 3 oct. 2018 a las 16:36, Mark Andrews
(<<a href="mailto:marka@isc.org" moz-do-not-send="true">marka@isc.org</a>>)
escribió:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">You give the matching DS record via your
registrar much the same way as you do the NS RRset or glue
address records. If your registrar doesn’t support DNSSEC
you will need to change registrars.
<div><br>
</div>
<div>If your parent zone uses CDS or CDNSKEY then publish
those records at the zone apex. <br>
<div><br>
</div>
<div>If your parent zone is not signed then start
complaining.<br>
<div><br>
<div id="m_-4286774890683613586AppleMailSignature"
dir="ltr">--
<div>Mark Andrews</div>
</div>
<div dir="ltr"><br>
On 4 Oct 2018, at 05:24, Roberto Carna <<a
href="mailto:robertocarna36@gmail.com"
target="_blank" moz-do-not-send="true">robertocarna36@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>Dear people, I have DNSSEC implemented in
my authoritative domain in BIND 9.10. I've
created the KSK and ZSK too.</div>
<div><br>
</div>
<div>Let's say my domain is "<a
href="http://robert.com.uk" target="_blank"
moz-do-not-send="true">robert.com.uk</a>".</div>
<div><br>
</div>
<div>How do I have to give the KSK (key signing
key) to my parent zones, let's say COM and UK
???</div>
<div><br>
</div>
<div>And what if COM or UK don't use DNSSEC at
all ???</div>
<div><br>
</div>
<div>Thanking in advance,</div>
<div><br>
</div>
<div>Robert<br>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr"><span>_______________________________________________</span><br>
<span>Please visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list</span><br>
<span></span><br>
<span>bind-users mailing list</span><br>
<span><a href="mailto:bind-users@lists.isc.org"
target="_blank" moz-do-not-send="true">bind-users@lists.isc.org</a></span><br>
<span><a
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Mark James ELKINS - Posix Systems - (South) Africa
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: <a class="moz-txt-link-freetext" href="https://ftth.posix.co.za">https://ftth.posix.co.za</a>
</pre>
</body>
</html>