rams <brames...@gmail.com> wrote: > we have two scenarios as follows. Is there any chance to copy DS records > through AXFR or any another method to copy child DS records into parent > zone.
Sort of... > Scenario 1: > > Customer has domain2.com on Bind1 signed with DS records for domain2.com at > place with registrar. Customer delegates a zone (sub.domain2.com) from > Bind1 to another DNS provider and wants to sign domain on the other provider > > Assumption: We would have to host the DS records for sub.domain2.com in the > zone file domain2.com. They'd need to sign the zone on the other provider. This is a bit tricky, because of the need to set up the chain of trust in a secure manner. There are a few relevant specs: RFC 7344 specifies CDS and CDNSKEY records, which allow a child zone to instruct its parent to update its existing DS records, allowing automated KSK rollovers. It doesn't help with establishing trust. RFC 8078 extends RFC 7344 in a few ways. It has a fairly clear spec for how a child zone can choose to go insecure (which might be necessary before transferring a domain to another provider, because secure domain transfers are difficult). It also has some choose-your-own-adventure suggestions for how to establish trust in the first place. Then there is draft-ietf-regext-dnsoperator-to-rrr-protocol which describes an HTTP-based API that fills in the missing parts of RFC 8078. The parent issues domain authorization challenge via the API, which the child has to publish as a _delegate TXT record, to establish the chain of trust. I'm not aware of very much code out there to implement these specs. I'm working on an RFC 7344 implementation, and for the latter there is https://github.com/APNIC-net/dns-rrr > Scenario 2: > > Customer has DS records for domain3.com at registrar and has domain3.com > and sub.domain3.com as separate zones on Bind1. > > Question: Since this all on the same provider do the DS records only need > to exist at registrar? Will the separate zone create an issue since it ( > sub.domain3.com) is not the same zone as what has DS records at the > provider (domain3.com)? In this situation the DS records at the registrar only authenticate domain3.com; you also need DS records in domain3.com to authenticate the delegation to sub.domain3.com. (DNSSEC does not allow the old bad practice of hosting a child zone on the same servers as its parents but without a delegation.) If you are using dnssec-signzone, there is some support for automatically managing delegations when both parent and child are signed by the same system. When signing a (child) zone it will emit a dsset- file contining the DS records that the parent should publish. When signing a zone containing delegations, you can give it the -g option to make it look for dsset- files to insert into the signed zone to authenticate the delegations. If you are doing fully-automatic signing with named, then you'll need to use dnssec-dsfromkey on the child zone's keys to create a dsset- file, and then you will have to insert the result into the parent, e.g. using `nsupdate`, or if you are using inline-signing, $INCLUDE in the unsigned version of the zone. Either way you will need to do some careful scripting to automate the process - the tooling that comes with BIND is not quite complete. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon, Rockall, Malin, Hebrides: West or northwest, 4 or 5, decreasing 3 at times. Moderate. Showers, thundery later in Shannon. Good occasionally poor later in Shannon. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
