On 03/10/2018 21:24, Roberto Carna wrote: Hi Roberto,
> Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's > say COM and UK ??? Typically, you won't submit the KSK, but a hash of it, called a DS record. You can generate a DS record using the dnssec-dsfromkey tool, which is part of BIND. Your domain will be registered through some registrar. You need to log into your registrar's web interface, and submit your DS record through that interface. They will transmit the DS record to the COM or UK registry which will publish the DS record. > And what if COM or UK don't use DNSSEC at all ??? Well, COM and UK *are* signed. But if the parent isn't signed, then there's no point in publishing DS records, because there's no way to validate the chain of trust. In fact, in general unsigned parent zones will not even accept DS records. Regards, Anand _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users