DNSSEC / Include a subdomain's KSK data, ZSK data or both in parent domain?
Douglas C. Stephens
stephens at ameslab.gov
Thu Dec 7 21:33:29 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ralph,
I run a site with a similar arrangement of parent and child zones on
the same signing server with "auto-dnssec maintain" and
"inline-signing yes".
My research found that only DS records for the child zone's KSK(s)
needed to be put into the parent zone. I was very happy to find
DNSViz (http://dnsviz.net) confirmed that for me.
BIND 9.11.x did not automatically do that for my configuration, so my
automated scripts take care of it for me.
On 12/7/2017 10:45 AM, Ralph Seichter wrote:
> Hello list members.
>
> I use the following configuration for a domain-subdomain pair:
>
> zone "example.com" IN { type master; file "pri/example.com.zone";
> auto-dnssec maintain; inline-signing yes; };
>
> zone "subdom.example.com" IN { type master; file
> "pri/subdom.example.com.zone"; auto-dnssec maintain; inline-signing
> yes; };
>
> As you can see, I specified automatic maintenance for both zones,
> and I have included DS records for both the subdomain's key-signing
> key and zone-signing key, freshly generated today, in
> example.com.zone. DNSSEC verfication succeeds with this setup.
> However, with BIND's automatic maintenance, I am not quite sure if
> this will change over time.
>
> Would it be sufficient/advisable to include only the subdomain's
> KSK data in the parent domain's zone file and remove ZSK data, or
> do I need to keep both?
>
> -Ralph
>
> _______________________________________________ Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
- --
Douglas C. Stephens | Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE | Email: stephens at ameslab.gov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iEYEARECAAYFAlops6kACgkQ46phdn656QS0oACg4o0RCs8X64MmLK/KFgmzTfIy
CZAAoPV7tmYISvBWlanRwL/rdmejpVAC
=gvgE
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list