DNSSEC / Include a subdomain's KSK data, ZSK data or both in parent domain?
Ralph Seichter
m16+bind at monksofcool.net
Thu Dec 7 16:45:04 UTC 2017
Hello list members.
I use the following configuration for a domain-subdomain pair:
zone "example.com" IN {
type master;
file "pri/example.com.zone";
auto-dnssec maintain;
inline-signing yes;
};
zone "subdom.example.com" IN {
type master;
file "pri/subdom.example.com.zone";
auto-dnssec maintain;
inline-signing yes;
};
As you can see, I specified automatic maintenance for both zones, and I
have included DS records for both the subdomain's key-signing key and
zone-signing key, freshly generated today, in example.com.zone. DNSSEC
verfication succeeds with this setup. However, with BIND's automatic
maintenance, I am not quite sure if this will change over time.
Would it be sufficient/advisable to include only the subdomain's KSK
data in the parent domain's zone file and remove ZSK data, or do I need
to keep both?
-Ralph
More information about the bind-users
mailing list