-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ralph,
I run a site with a similar arrangement of parent and child zones on the same signing server with "auto-dnssec maintain" and "inline-signing yes". My research found that only DS records for the child zone's KSK(s) needed to be put into the parent zone. I was very happy to find DNSViz (http://dnsviz.net) confirmed that for me. BIND 9.11.x did not automatically do that for my configuration, so my automated scripts take care of it for me. On 12/7/2017 10:45 AM, Ralph Seichter wrote: > Hello list members. > > I use the following configuration for a domain-subdomain pair: > > zone "example.com" IN { type master; file "pri/example.com.zone"; > auto-dnssec maintain; inline-signing yes; }; > > zone "subdom.example.com" IN { type master; file > "pri/subdom.example.com.zone"; auto-dnssec maintain; inline-signing > yes; }; > > As you can see, I specified automatic maintenance for both zones, > and I have included DS records for both the subdomain's key-signing > key and zone-signing key, freshly generated today, in > example.com.zone. DNSSEC verfication succeeds with this setup. > However, with BIND's automatic maintenance, I am not quite sure if > this will change over time. > > Would it be sufficient/advisable to include only the subdomain's > KSK data in the parent domain's zone file and remove ZSK data, or > do I need to keep both? > > -Ralph > > _______________________________________________ Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > - -- Douglas C. Stephens | Network Systems Analyst Enterprise Information Services | Phone: (515) 294-6102 Ames Laboratory, US DOE | Email: steph...@ameslab.gov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAlops6kACgkQ46phdn656QS0oACg4o0RCs8X64MmLK/KFgmzTfIy CZAAoPV7tmYISvBWlanRwL/rdmejpVAC =gvgE -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users