DNSSEC

[Mark Andrews]

> How do I preserve the chain of trust if I happen to run 2 zones within
> the same DNS server with DNSSEC (running Bind 9.3.3)
> 
> zone 1: example.com (signed with a KSK)
> zone 2: myzone.example.com (signed with a KSK)
> 
> Do I need to include anything on the "example.com" zone in order to
> enable the trust? Or, do I need to sign the example.com zone with
> another parameter?
> 
> Do I need to add the DS RR record with something like "$include
> dsset-myzone.example.com" on the "example.com" zone?
> 
> Mike

	You can either add them with $include or have dnssec-signzone 
	create them from the keyset files with '-g'.  Note these methods
	are mutually exclusive and apply for all children.

	# create zone signing key and key signing key.
	dnssec-keygen -a RSASHA1 -b 1024 -n ZONE myzone.example.com
	dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE myzone.example.com
	# add keys to raw zone.
	cat myzone.example.com.raw Kmyzone.example.com*.key \
		> myzone.example.com.unsigned
	# sign the resulting zone.
	dnssec-signzone -o myzone.example.com -f myzone.example.com.db \
		myzone.example.com.unsigned

	
	# create zone signing key and key signing key.
	dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
	dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE example.com
	# add keys to raw zone.
	cat example.com.raw Kxample.com*.key > myzone.example.com.unsigned
	# look for chid keysets in the current directory and sign the zone
	dnssec-signzone -g -o example.com -f example.com.db example.com.unsigned

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org