DNSSEC / Include a subdomain's KSK data, ZSK data or both in parent domain?

Douglas C. Stephens stephens at ameslab.gov
Thu Dec 7 21:33:29 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralph,

I run a site with a similar arrangement of parent and child zones on
the same signing server with "auto-dnssec maintain" and
"inline-signing yes".

My research found that only DS records for the child zone's KSK(s)
needed to be put into the parent zone.  I was very happy to find
DNSViz (http://dnsviz.net) confirmed that for me.

BIND 9.11.x did not automatically do that for my configuration, so my
automated scripts take care of it for me.


On 12/7/2017 10:45 AM, Ralph Seichter wrote:
> Hello list members.
> 
> I use the following configuration for a domain-subdomain pair:
> 
> zone "example.com" IN { type master; file "pri/example.com.zone"; 
> auto-dnssec maintain; inline-signing yes; };
> 
> zone "subdom.example.com" IN { type master; file
> "pri/subdom.example.com.zone"; auto-dnssec maintain; inline-signing
> yes; };
> 
> As you can see, I specified automatic maintenance for both zones,
> and I have included DS records for both the subdomain's key-signing
> key and zone-signing key, freshly generated today, in
> example.com.zone. DNSSEC verfication succeeds with this setup.
> However, with BIND's automatic maintenance, I am not quite sure if
> this will change over time.
> 
> Would it be sufficient/advisable to include only the subdomain's
> KSK data in the parent domain's zone file and remove ZSK data, or
> do I need to keep both?
> 
> -Ralph
> 
> _______________________________________________ Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list bind-users at lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 

- -- 
Douglas C. Stephens		| Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAlops6kACgkQ46phdn656QS0oACg4o0RCs8X64MmLK/KFgmzTfIy
CZAAoPV7tmYISvBWlanRwL/rdmejpVAC
=gvgE
-----END PGP SIGNATURE-----

More information about the bind-users mailing list