how to proper include DS record on key dnssec

Torinthiel torinthiel at data.pl
Fri Jan 14 08:01:12 UTC 2011 

Dnia 2011-01-14 03:11 fakessh @ napisał(a):

>hello bind network  and hello dnssec network admin.
>
>
>thank you for answered, 
>I think I found a solution to my problem. 
>$INCLUDE directive is that I have to handle
>
>
>example: 
>	$INCLUDE /var/named/keys/dsset-fakessh.eu. fakessh.eu

YOU don't do it. This goes into the PARENT zone. Unless you manage the 
parent zone as well, but even in that case it goes into a different file.


>        $INCLUDE /var/named/keys/keyset-fakessh.eu. fakessh.eu

This is OK, although when you have an $INCLUDE and do dnssiec-signzone it 
automatically resolves it, so generated signed zone does not habe $INCLUDE

>and perform a complete resignatures area zone
>this should enable me to have the flag DS and DS sign, DLV and DLV sign

Err, both the DS (as stated before) and DLV go into different zones.
To sum up:
DNSKEY goes to fakessh.eu
DS goes to .eu, and I don't have any idea if registrars already permit it
DLV goes to dlv.isc.net or any other dlv repository you want.

That's three different zones, and three different signers.


>in my area zone
>
>its right
>
>thanks for your return many return are welcome
>
>
>Le jeudi 13 janvier 2011 à 12:36 -0500, Paul Wouters a écrit :
>> On Thu, 13 Jan 2011, fakessh @ wrote:
>> 
>> > I correctly configure my server centos dnssec on with as a
>> > representative of encryptions dlv isc. my question is relevant and was
>> > already asked but I have not found the complete answer on google. my
>> > question is how to include the DS record in the Keys. my keys are in a
>> > separate folder. the DS record is already generated in
>> 
>> The DS record goes into the parent zone, not the zone itself.
>> 
>> > I also wonder the utility of this good record given that my signatures
>> > are marked as good on dlv
>> 
>> Use any public DNS server with dlv configured. eg nssec.xelerance.net:
>> 
>> dig +dnssec -t ds yourzone @nssec.xelerance.net
>> 
>> > what file in the include directive must be accomplished and realize how
>> > well inclusion of the DS record (what should be the proper syntax on 
how
>> > to declare dlv isc) how to re-sign after the keys
>> 
>> You give your DS via http://dlv.isc.org/
>> 
>> Paul

>-- 
>gpg --keyserver pgp.mit.edu --recv-key 092164A7
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
>

More information about the bind-users mailing list