-----Original Message----- From: Tony Finch <d...@dotat.at> Date: Mon, 3 Oct 2011 14:59:38 +0100 To: Michael Sinatra <mich...@rancid.berkeley.edu> Cc: <ow...@nysernet.org>, <bind-users@lists.isc.org>, Raymond Walker <ray.wal...@nau.edu> Subject: Re: DNSSEC not populating parent zone files with DS records
>Michael Sinatra <mich...@rancid.berkeley.edu> wrote: >> >> There are ways of getting the DS records into the zone(s). Here are >>some >> steps that I took on some test zones: > >Alternatively, set "update-policy local;" on your parent zone and use this >little pipeline on the master server. Substitute $parent and $child as >necessary: > > dig +noall +answer dnskey $child | > dnssec-dsfromkey -f /dev/stdin $child | > (echo "zone $parent"; sed 's/^/update add /'; echo "send") | > nsupdate -l In testing, this pipe sets up the following for nsupdate which fails: zone nautest.edu update add test3.nautest.edu. IN DS 35113 5 1 4D27C35B0F638218659F740252604980CE445F16 update add test3.nautest.edu. IN DS 35113 5 2 843544D4F01EE147257FBDB92D9AC3C51129DEF0FC7D972D57EB6E20 550E4161 Send The error is: ttl 'IN': not a valid number syntax error I have been unable to determine the correct method to add a DS record by hand. The ultimate goal would be the automation of this process. Am I also missing somewhere in the RFC where NS records of children zones need be populated in the parent? Is this something that has changed with the addition of DNSSEC? Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
