DNSSEC: give KSK from my domain to parent zones
Roberto Carna
robertocarna36 at gmail.com
Thu Oct 4 19:56:43 UTC 2018
Thanks a lot Mark, regards !!!
El jue., 4 oct. 2018 a las 16:18, Mark Elkins (<mje at posix.co.za>) escribió:
>
>
> On 10/04/2018 05:03 PM, Roberto Carna wrote:
>
> Hello, thanks to both of you for your help. Now I understand I have to
> contact my registrar in order to give it the DS of the KSK.
>
> Please I have a last question:
>
> I have two DNS servers running BIND 9.10, they have delegated my own
> domain, let's say "robert.com.uk" and some other domains from our
> clients, let's say:
>
> client1.com.uk
> client2.edu.uk
> client3.info.uk
>
> Can I sign theses client zones with my ZSK, or do I have to have a
> different key for each domain?
>
>
> I believe common practise is to create separate KSK and ZSK keys for each
> domain - so each domain will have their own DS records in the parent. This
> way, if one of the clients moves their domain to a new DNS provider - there
> is no security conflict in the move from shared keys.
>
> (Use a different Key)
>
> And do I have to tell my clients I will sign their zones or it is
> transparent for them?
>
>
> DNSSEC is a good thing - but I'd suggest telling the clients that this is
> happening. DNSSEC usually introduces the need to have extra DNS actions
> happen - even on an otherwise static Zone. Thus - there is more that might
> possibly break. On the other hand, it make resolving items in that zone far
> more secure and allows for newer possibilities such as TLSA records for Web
> and Mail services. I believe the customer should be made aware of all these
> pros and cons.
>
> (Yes)
>
> Thanks a lot again, regards !!!
>
>
>
> El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<marka at isc.org>) escribió:
>
>> You give the matching DS record via your registrar much the same way as
>> you do the NS RRset or glue address records. If your registrar doesn’t
>> support DNSSEC you will need to change registrars.
>>
>> If your parent zone uses CDS or CDNSKEY then publish those records at the
>> zone apex.
>>
>> If your parent zone is not signed then start complaining.
>>
>> --
>> Mark Andrews
>>
>> On 4 Oct 2018, at 05:24, Roberto Carna <robertocarna36 at gmail.com> wrote:
>>
>> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
>> 9.10. I've created the KSK and ZSK too.
>>
>> Let's say my domain is "robert.com.uk".
>>
>> How do I have to give the KSK (key signing key) to my parent zones, let's
>> say COM and UK ???
>>
>> And what if COM or UK don't use DNSSEC at all ???
>>
>> Thanking in advance,
>>
>> Robert
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing listbind-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Mark James ELKINS - Posix Systems - (South) Africamje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181004/c13d775d/attachment-0001.html>
More information about the bind-users
mailing list