In message <349af545493290449749762c5f03929a0cf3bcc...@hq-mb-08.ba.ad.ssa.gov>, "Khuu, Linh Contractor" writes: > Hi, > > I have questions about how to configure the DNS with NS delegation record o= > nce it's signed. > > My DNS server is the parent zone, for example, "testing.net" and is signed = > with DNSSEC. My zone configuration is as follows: > > $TTL 36000 > $INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key sign= > ing key > $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone sign= > ing key > $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-publi= > shed zone signing key > @ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 1= > 4400) > > Testing.net. IN NS dns1.testing.net. > Testing.net. IN NS dns2.testing.net. > www IN A 168.168.168.168 > access IN NS sub1.testing.net. > > As of right now, the "sub1.testing.net" isn't DNSSEC compliant yet. We want= > sub1.testing.net to be DNSSEC aware. > > My question is, do we (as parent of testing.net zone) need to generate the = > key (KSK) and zone key (ZSK) for the "sub1.testing.net" or should "sub1.tes= > ting.net" server will need to do that? If they generate the keys to sign al= > l the records in their server, do they need to send us their key files? How= > do we (as parent) to include those keys in our zone file?
The child generates its own keys and sends the DNSKEY and/or matching DS record to the parent. It is the DS record that gets added to the parent zone to make a secure delegation. DS records are computed from the DNSKEY record. > Thanks, > Linh Khuu -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
