DNSSEC not populating parent zone files with DS records
Tony Finch
dot at dotat.at
Thu Oct 6 10:04:52 UTC 2011
Raymond Drew Walker <Ray.Walker at nau.edu> wrote:
>
> After reading this, RFC1034, and conferring with the original implementor
> of DNS at our institution, I have a better wrangle on the NS issue. Child
> zone NS records were never populated in the parent because all zones were
> under the same name servers, and "it just worked" (circa the early 90's.)
> I mistakenly inherited on this understanding... until now.
There's a note about this in the BIND ARM documentation for stub zones:
Stub zones can be used to eliminate the need for glue NS record in
a parent zone at the expense of maintaining a stub zone entry and
a set of name server addresses in named.conf. This usage is not
recommended for new configurations, and BIND 9 supports it only in
a limited way. In BIND 4/8, zone transfers of a parent zone
included the NS records from stub children of that zone. This
meant that, in some cases, users could get away with configuring
child stubs only in the master server for the parent zone. BIND 9
never mixes together zone data from different zones in this way.
Therefore, if a BIND 9 master serving a parent zone has child stub
zones configured, all the slave servers for the parent zone also
need to have the same child stub zones configured.
> As for better automation of DNSSEC, my research lends little to no
> information on proper child/parent DS record population. I am curious
> about how to properly deploy in the future.
It's hard. There is deliberately very little coupling between a child zone
and its parent, which is good because it makes the DNS more robust, but
bad because you have to use out-of-band and often manual procedures to
keep the zone's delegation in sync. This is true whether or not you have
DNSSEC.
If you run both the child and parent zones then dnssec-signzone can be
told to manage DS records automatically: it generates dsset files when
signing a child zone, and inserts DS records when signing a parent zone
based on those dsset files. Sadly auto-dnssec doesn't do this.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
South Utsire, Forties, Cromarty, Forth, Tyne, Dogger, Fisher: Westerly veering
northwesterly 6 to gale 8, occasionally 5 at first in South Utsire. Moderate
or rough in Cromarty, Forth and Tyne, otherwise rough or very rough. Squally
showers. Moderate or good, occasionally poor at first in Fisher.
More information about the bind-users
mailing list