DNSSEC / Include a subdomain's KSK data, ZSK data or both in parent domain?

Ralph Seichter Thu, 07 Dec 2017 08:46:01 -0800

Hello list members.

I use the following configuration for a domain-subdomain pair:


  zone "example.com" IN {
      type master;
      file "pri/example.com.zone";
      auto-dnssec maintain;
      inline-signing yes;
  };

  zone "subdom.example.com" IN {
      type master;
      file "pri/subdom.example.com.zone";
      auto-dnssec maintain;
      inline-signing yes;
  };

As you can see, I specified automatic maintenance for both zones, and I
have included DS records for both the subdomain's key-signing key and
zone-signing key, freshly generated today, in example.com.zone. DNSSEC
verfication succeeds with this setup. However, with BIND's automatic
maintenance, I am not quite sure if this will change over time.

Would it be sufficient/advisable to include only the subdomain's KSK
data in the parent domain's zone file and remove ZSK data, or do I need
to keep both?

-Ralph

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC / Include a subdomain's KSK data, ZSK data or both in parent domain?

Reply via email to