On 10/04/2018 05:03 PM, Roberto Carna wrote: > Hello, thanks to both of you for your help. Now I understand I have to > contact my registrar in order to give it the DS of the KSK. > > Please I have a last question: > > I have two DNS servers running BIND 9.10, they have delegated my own > domain, let's say "robert.com.uk <http://robert.com.uk>" and some > other domains from our clients, let's say: > > client1.com.uk <http://client1.com.uk> > client2.edu.uk <http://client2.edu.uk> > client3.info.uk <http://client3.info.uk> > > Can I sign theses client zones with my ZSK, or do I have to have a > different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for each domain - so each domain will have their own DS records in the parent. This way, if one of the clients moves their domain to a new DNS provider - there is no security conflict in the move from shared keys. (Use a different Key) > And do I have to tell my clients I will sign their zones or it is > transparent for them? DNSSEC is a good thing - but I'd suggest telling the clients that this is happening. DNSSEC usually introduces the need to have extra DNS actions happen - even on an otherwise static Zone. Thus - there is more that might possibly break. On the other hand, it make resolving items in that zone far more secure and allows for newer possibilities such as TLSA records for Web and Mail services. I believe the customer should be made aware of all these pros and cons. (Yes) > Thanks a lot again, regards !!! > > > > El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<ma...@isc.org > <mailto:ma...@isc.org>>) escribió: > > You give the matching DS record via your registrar much the same > way as you do the NS RRset or glue address records. If your > registrar doesn’t support DNSSEC you will need to change registrars. > > If your parent zone uses CDS or CDNSKEY then publish those records > at the zone apex. > > If your parent zone is not signed then start complaining. > > -- > Mark Andrews > > On 4 Oct 2018, at 05:24, Roberto Carna <robertocarn...@gmail.com > <mailto:robertocarn...@gmail.com>> wrote: > >> Dear people, I have DNSSEC implemented in my authoritative domain >> in BIND 9.10. I've created the KSK and ZSK too. >> >> Let's say my domain is "robert.com.uk <http://robert.com.uk>". >> >> How do I have to give the KSK (key signing key) to my parent >> zones, let's say COM and UK ??? >> >> And what if COM or UK don't use DNSSEC at all ??? >> >> Thanking in advance, >> >> Robert >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >> https://lists.isc.org/mailman/listinfo/bind-users > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
