DNSSEC not populating parent zone files with DS records
Raymond Drew Walker
Ray.Walker at nau.edu
Tue Oct 4 18:31:03 UTC 2011
-----Original Message-----
From: Tony Finch <dot at dotat.at>
Date: Mon, 3 Oct 2011 14:59:38 +0100
To: Michael Sinatra <michael at rancid.berkeley.edu>
Cc: <owens at nysernet.org>, <bind-users at lists.isc.org>, Raymond Walker
<ray.walker at nau.edu>
Subject: Re: DNSSEC not populating parent zone files with DS records
>Michael Sinatra <michael at rancid.berkeley.edu> wrote:
>>
>> There are ways of getting the DS records into the zone(s). Here are
>>some
>> steps that I took on some test zones:
>
>Alternatively, set "update-policy local;" on your parent zone and use this
>little pipeline on the master server. Substitute $parent and $child as
>necessary:
>
> dig +noall +answer dnskey $child |
> dnssec-dsfromkey -f /dev/stdin $child |
> (echo "zone $parent"; sed 's/^/update add /'; echo "send") |
> nsupdate -l
In testing, this pipe sets up the following for nsupdate which fails:
zone nautest.edu
update add test3.nautest.edu. IN DS 35113 5 1
4D27C35B0F638218659F740252604980CE445F16
update add test3.nautest.edu. IN DS 35113 5 2
843544D4F01EE147257FBDB92D9AC3C51129DEF0FC7D972D57EB6E20 550E4161
Send
The error is:
ttl 'IN': not a valid number
syntax error
I have been unable to determine the correct method to add a DS record by
hand. The ultimate goal would be the automation of this process.
Am I also missing somewhere in the RFC where NS records of children zones
need be populated in the parent? Is this something that has changed with
the addition of DNSSEC?
Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University
More information about the bind-users
mailing list