DNSSEC: give KSK from my domain to parent zones

Thu Oct 4 15:03:23 UTC 2018

Hello, thanks to both of you for your help. Now I understand I have to
contact my registrar in order to give it the DS of the KSK.

Please I have a last question:

I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk" and some other domains from our clients,
let's say:

client1.com.uk
client2.edu.uk
client3.info.uk

Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?

And do I have to tell my clients I will sign their zones or it is
transparent for them?

Thanks a lot again, regards !!!

El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<marka at isc.org>) escribió:

> You give the matching DS record via your registrar much the same way as
> you do the NS RRset or glue address records.  If your registrar doesn’t
> support DNSSEC you will need to change registrars.
>
> If your parent zone uses CDS or CDNSKEY then publish those records at the
> zone apex.
>
> If your parent zone is not signed then start complaining.
>
> --
> Mark Andrews
>
> On 4 Oct 2018, at 05:24, Roberto Carna <robertocarna36 at gmail.com> wrote:
>
> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
> 9.10. I've created the KSK and ZSK too.
>
> Let's say my domain is "robert.com.uk".
>
> How do I have to give the KSK (key signing key) to my parent zones, let's
> say COM and UK ???
>
> And what if COM or UK don't use DNSSEC at all ???
>
> Thanking in advance,
>
> Robert
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181004/caa5cdd7/attachment.html>