DNSSEC
Mark Andrews
Mark_Andrews at isc.org
Mon Nov 27 23:48:56 UTC 2006
> How do I preserve the chain of trust if I happen to run 2 zones within
> the same DNS server with DNSSEC (running Bind 9.3.3)
>
> zone 1: example.com (signed with a KSK)
> zone 2: myzone.example.com (signed with a KSK)
>
> Do I need to include anything on the "example.com" zone in order to
> enable the trust? Or, do I need to sign the example.com zone with
> another parameter?
>
> Do I need to add the DS RR record with something like "$include
> dsset-myzone.example.com" on the "example.com" zone?
>
> Mike
You can either add them with $include or have dnssec-signzone
create them from the keyset files with '-g'. Note these methods
are mutually exclusive and apply for all children.
# create zone signing key and key signing key.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE myzone.example.com
dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE myzone.example.com
# add keys to raw zone.
cat myzone.example.com.raw Kmyzone.example.com*.key \
> myzone.example.com.unsigned
# sign the resulting zone.
dnssec-signzone -o myzone.example.com -f myzone.example.com.db \
myzone.example.com.unsigned
# create zone signing key and key signing key.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE example.com
# add keys to raw zone.
cat example.com.raw Kxample.com*.key > myzone.example.com.unsigned
# look for chid keysets in the current directory and sign the zone
dnssec-signzone -g -o example.com -f example.com.db example.com.unsigned
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list