Thanks a lot Mark, regards !!! El jue., 4 oct. 2018 a las 16:18, Mark Elkins (<m...@posix.co.za>) escribió:
> > > On 10/04/2018 05:03 PM, Roberto Carna wrote: > > Hello, thanks to both of you for your help. Now I understand I have to > contact my registrar in order to give it the DS of the KSK. > > Please I have a last question: > > I have two DNS servers running BIND 9.10, they have delegated my own > domain, let's say "robert.com.uk" and some other domains from our > clients, let's say: > > client1.com.uk > client2.edu.uk > client3.info.uk > > Can I sign theses client zones with my ZSK, or do I have to have a > different key for each domain? > > > I believe common practise is to create separate KSK and ZSK keys for each > domain - so each domain will have their own DS records in the parent. This > way, if one of the clients moves their domain to a new DNS provider - there > is no security conflict in the move from shared keys. > > (Use a different Key) > > And do I have to tell my clients I will sign their zones or it is > transparent for them? > > > DNSSEC is a good thing - but I'd suggest telling the clients that this is > happening. DNSSEC usually introduces the need to have extra DNS actions > happen - even on an otherwise static Zone. Thus - there is more that might > possibly break. On the other hand, it make resolving items in that zone far > more secure and allows for newer possibilities such as TLSA records for Web > and Mail services. I believe the customer should be made aware of all these > pros and cons. > > (Yes) > > Thanks a lot again, regards !!! > > > > El mié., 3 oct. 2018 a las 16:36, Mark Andrews (<ma...@isc.org>) escribió: > >> You give the matching DS record via your registrar much the same way as >> you do the NS RRset or glue address records. If your registrar doesn’t >> support DNSSEC you will need to change registrars. >> >> If your parent zone uses CDS or CDNSKEY then publish those records at the >> zone apex. >> >> If your parent zone is not signed then start complaining. >> >> -- >> Mark Andrews >> >> On 4 Oct 2018, at 05:24, Roberto Carna <robertocarn...@gmail.com> wrote: >> >> Dear people, I have DNSSEC implemented in my authoritative domain in BIND >> 9.10. I've created the KSK and ZSK too. >> >> Let's say my domain is "robert.com.uk". >> >> How do I have to give the KSK (key signing key) to my parent zones, let's >> say COM and UK ??? >> >> And what if COM or UK don't use DNSSEC at all ??? >> >> Thanking in advance, >> >> Robert >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing > listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > > > -- > Mark James ELKINS - Posix Systems - (South) africa...@posix.co.za > Tel: +27.128070590 Cell: +27.826010496 > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users