shared KSK for static zone and dynamic subzone?

Mark Andrews marka at isc.org
Tue Apr 26 08:21:22 UTC 2011 

In message <20110426011334.GE2976 at cardinal>, /dev/rob0 writes:
> I feel like I am understanding the "how" of this DNSSEC stuff, but 
> I'm not so sure about some of the "whys". This post is asking a bit 
> of both.
> 
> I've got a static zone, nodns4.us., which is now signed. It's the 
> parent zone to dynamic.nodns4.us., a dynamic zone. Is there any 
> reason why I can't use the parent zone's KSK for the dynamic zone? 
> Better yet, is there a reason why I shouldn't?
> 
> If I do, what (if anything) does the parent zone need as DS for the 
> dynamic zone? DNSKEY (the .key file as generated by dnssec-keygen(8)) 
> goes into the dynamic zone via nsupdate(8) as per the 
> bind-9.8.0/arm/Bv9ARM.ch04.html#id2607351 documentation.

It needs a DS exactly the same way as .us needs the DS records for
nodns4.us.

> If using the same KSK, is that entered as a DNSKEY into the dynamic 
> zone also? But of course as dynamic.nodns4.us. rather than the name 
> as which it was generated, nodns4.us. (Maybe this is the problem?)
> 
> I tried adding the dsset-nodns4.us. to nodns4.us as DS for 
> dynamic.nodns4.us. But AFAICT the signature verification is failing. 
> I bet my idea about DS was wrong. But my idea about no DS was also 
> apparently wrong, because signatures didn't verify before adding DS 
> records to the parent.

The DS records include the owner name of the DNSKEY record in the
hash.  You can't take a DS from one DNSKEY and use it for another
DNSKEY with a different name even if it shares the public key and
othe DNSKEY parameters.

> How/where do you get these DS records with dynamic signing? My 
> dsset-nodns4.us. was generated by dnssec-signzone(8). I see no 
> mention in the ARM about this.

dnssec-dsfromkey can generate DS records from DNSKEY records.

> -- 
>     Offlist mail to this address is discarded unless
>     "/dev/rob0" or "not-spam" is in Subject: header
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list