In message <20110426011334.GE2976@cardinal>, /dev/rob0 writes: > I feel like I am understanding the "how" of this DNSSEC stuff, but > I'm not so sure about some of the "whys". This post is asking a bit > of both. > > I've got a static zone, nodns4.us., which is now signed. It's the > parent zone to dynamic.nodns4.us., a dynamic zone. Is there any > reason why I can't use the parent zone's KSK for the dynamic zone? > Better yet, is there a reason why I shouldn't? > > If I do, what (if anything) does the parent zone need as DS for the > dynamic zone? DNSKEY (the .key file as generated by dnssec-keygen(8)) > goes into the dynamic zone via nsupdate(8) as per the > bind-9.8.0/arm/Bv9ARM.ch04.html#id2607351 documentation.
It needs a DS exactly the same way as .us needs the DS records for nodns4.us. > If using the same KSK, is that entered as a DNSKEY into the dynamic > zone also? But of course as dynamic.nodns4.us. rather than the name > as which it was generated, nodns4.us. (Maybe this is the problem?) > > I tried adding the dsset-nodns4.us. to nodns4.us as DS for > dynamic.nodns4.us. But AFAICT the signature verification is failing. > I bet my idea about DS was wrong. But my idea about no DS was also > apparently wrong, because signatures didn't verify before adding DS > records to the parent. The DS records include the owner name of the DNSKEY record in the hash. You can't take a DS from one DNSKEY and use it for another DNSKEY with a different name even if it shares the public key and othe DNSKEY parameters. > How/where do you get these DS records with dynamic signing? My > dsset-nodns4.us. was generated by dnssec-signzone(8). I see no > mention in the ARM about this. dnssec-dsfromkey can generate DS records from DNSKEY records. > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
