DNSSEC for NS delegation record
Marc Lampo
marc.lampo at eurid.eu
Wed Jul 18 06:34:28 UTC 2012
Hello,
(the easiest way)
1) The admins of sub1.testing.net. should generate ZSK and KSK.
à The parent cannot do this for the child
2) You do not need the key file*s* of the child, in the parent.
If, by using the plural form, you mean both public (.key) and private
(.private) file.
3) The easiest way : using the bind tools (and this is the bind
mailing list)
the child will find a dsset-
file after signing its zone
à the parent can include *this* file in its testing.net zone
Alternatively :
The child can provide the public part of the KSK
and, using the bind tool dnssec-dsfromkey the parent can obtain the DS
records itself.
4) How to include :
you are already using $INCLUDE statements now, so, include the file with
DS info, Id say.
One additional comment :
By signing the child sub1.testing.net. only, not much will happen,
for DNSSEC.
You need to complete the chain of trust by also signing the parent
testing.net. -
and having its DS information published in its parent net. !
Kind regards,
Marc Lampo
Security Officer
EURid
From: Khuu, Linh Contractor [mailto:Linh.Khuu at ssa.gov]
Sent: dinsdag 17 juli 2012 16:36
To: 'bind-users at lists.isc.org'
Subject: DNSSEC for NS delegation record
Hi,
I have questions about how to configure the DNS with NS delegation record
once its signed.
My DNS server is the parent zone, for example, testing.net and is signed
with DNSSEC. My zone configuration is as follows:
$TTL 36000
$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key
signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone
signing key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ;
pre-published zone signing key
@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600
14400)
Testing.net. IN NS dns1.testing.net.
Testing.net. IN NS dns2.testing.net.
www IN A 168.168.168.168
access IN NS sub1.testing.net.
As of right now, the sub1.testing.net isnt DNSSEC compliant yet. We
want sub1.testing.net to be DNSSEC aware.
My question is, do we (as parent of testing.net zone) need to generate the
key (KSK) and zone key (ZSK) for the sub1.testing.net or should
sub1.testing.net server will need to do that? If they generate the keys
to sign all the records in their server, do they need to send us their key
files? How do we (as parent) to include those keys in our zone file?
Thanks,
Linh Khuu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120718/54eff7f5/attachment.html>
More information about the bind-users
mailing list