Hello,
(the easiest way) 1) The admins of sub1.testing.net. should generate ZSK and KSK. à The parent cannot do this for the child 2) You do not need the key file*s* of the child, in the parent. If, by using the plural form, you mean both public (.key) and private (.private) file. 3) The easiest way : using the bind tools (and this is the bind mailing list) the child will find a dsset- file after signing its zone à the parent can include *this* file in its testing.net zone Alternatively : The child can provide the public part of the KSK and, using the bind tool dnssec-dsfromkey the parent can obtain the DS records itself. 4) How to include : you are already using $INCLUDE statements now, so, include the file with DS info, Id say. One additional comment : By signing the child sub1.testing.net. only, not much will happen, for DNSSEC. You need to complete the chain of trust by also signing the parent testing.net. - and having its DS information published in its parent net. ! Kind regards, Marc Lampo Security Officer EURid From: Khuu, Linh Contractor [mailto:linh.k...@ssa.gov] Sent: dinsdag 17 juli 2012 16:36 To: 'bind-users@lists.isc.org' Subject: DNSSEC for NS delegation record Hi, I have questions about how to configure the DNS with NS delegation record once its signed. My DNS server is the parent zone, for example, testing.net and is signed with DNSSEC. My zone configuration is as follows: $TTL 36000 $INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key signing key $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone signing key $INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-published zone signing key @ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 14400) Testing.net. IN NS dns1.testing.net. Testing.net. IN NS dns2.testing.net. www IN A 168.168.168.168 access IN NS sub1.testing.net. As of right now, the sub1.testing.net isnt DNSSEC compliant yet. We want sub1.testing.net to be DNSSEC aware. My question is, do we (as parent of testing.net zone) need to generate the key (KSK) and zone key (ZSK) for the sub1.testing.net or should sub1.testing.net server will need to do that? If they generate the keys to sign all the records in their server, do they need to send us their key files? How do we (as parent) to include those keys in our zone file? Thanks, Linh Khuu
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
