shared KSK for static zone and dynamic subzone?
Mark Andrews
marka at isc.org
Tue Apr 26 08:21:22 UTC 2011
In message <20110426011334.GE2976 at cardinal>, /dev/rob0 writes:
> I feel like I am understanding the "how" of this DNSSEC stuff, but
> I'm not so sure about some of the "whys". This post is asking a bit
> of both.
>
> I've got a static zone, nodns4.us., which is now signed. It's the
> parent zone to dynamic.nodns4.us., a dynamic zone. Is there any
> reason why I can't use the parent zone's KSK for the dynamic zone?
> Better yet, is there a reason why I shouldn't?
>
> If I do, what (if anything) does the parent zone need as DS for the
> dynamic zone? DNSKEY (the .key file as generated by dnssec-keygen(8))
> goes into the dynamic zone via nsupdate(8) as per the
> bind-9.8.0/arm/Bv9ARM.ch04.html#id2607351 documentation.
It needs a DS exactly the same way as .us needs the DS records for
nodns4.us.
> If using the same KSK, is that entered as a DNSKEY into the dynamic
> zone also? But of course as dynamic.nodns4.us. rather than the name
> as which it was generated, nodns4.us. (Maybe this is the problem?)
>
> I tried adding the dsset-nodns4.us. to nodns4.us as DS for
> dynamic.nodns4.us. But AFAICT the signature verification is failing.
> I bet my idea about DS was wrong. But my idea about no DS was also
> apparently wrong, because signatures didn't verify before adding DS
> records to the parent.
The DS records include the owner name of the DNSKEY record in the
hash. You can't take a DS from one DNSKEY and use it for another
DNSKEY with a different name even if it shares the public key and
othe DNSKEY parameters.
> How/where do you get these DS records with dynamic signing? My
> dsset-nodns4.us. was generated by dnssec-signzone(8). I see no
> mention in the ARM about this.
dnssec-dsfromkey can generate DS records from DNSKEY records.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list