Hello, thanks to both of you for your help. Now I understand I have to contact my registrar in order to give it the DS of the KSK.
Please I have a last question: I have two DNS servers running BIND 9.10, they have delegated my own domain, let's say "robert.com.uk" and some other domains from our clients, let's say: client1.com.uk client2.edu.uk client3.info.uk Can I sign theses client zones with my ZSK, or do I have to have a different key for each domain? And do I have to tell my clients I will sign their zones or it is transparent for them? Thanks a lot again, regards !!! El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<ma...@isc.org>) escribió: > You give the matching DS record via your registrar much the same way as > you do the NS RRset or glue address records. If your registrar doesn’t > support DNSSEC you will need to change registrars. > > If your parent zone uses CDS or CDNSKEY then publish those records at the > zone apex. > > If your parent zone is not signed then start complaining. > > -- > Mark Andrews > > On 4 Oct 2018, at 05:24, Roberto Carna <robertocarn...@gmail.com> wrote: > > Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's > say COM and UK ??? > > And what if COM or UK don't use DNSSEC at all ??? > > Thanking in advance, > > Robert > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users