Hi Karen, On 2012-07-23, at 17:44, McGhee, Karen (Evolver) wrote:
> I am about to implement reverse dnssec. I'm authoritative for zone > 207.151.in-addr.arpa, and I delegate two /24s to a child server on > etc.uspto.gov like so: > > $TTL 7200 > @ IN SOA dns1.uspto.gov. nmb.uspto.gov. ( > 2012072100 ; serial number yyyy/mm/dd/## format > 10800 ; refresh after 3 hours > 3600 ; retry after 1 hour > 604800 ; expire after 1 week > 86400 ) ; minimum TTL of 1 day > > IN NS dns1.uspto.gov. > IN NS dns2.uspto.gov. > > > 252 86400 IN NS etc-dns1.etc.uspto.gov. > 254 86400 IN NS etc-dns1.etc.uspto.gov. > > On my child, must I create two separate zone files: 252.207.151.in-addr.arpa > and 254.207.151.in-addr.arpa? Or can I have the same zone > 207.151.in-addr.arpa as on the parent? Create the two child zones that you mentioned. When you have signed 207.151.in-addr.arpa and are confident that it validates correctly, you will need to get a DS record published in the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE NCC, and so you will need to talk to them. When each of your child zones is signed, you take one or more DS records from each child zone and publish them in the 207.151.in-addr.arpa zone along with the NS records. There is no need to do these in order (in the sense that nothing will break if you do these two steps in a different order), but you will need a secure delegation from 151.in-addr.arpa to 207.151.in-addr.arpa before secure delegations from the 207.151.in-addr.arpa zone to your children are useful (assuming validators that carry just a root zone trust anchor). Joe _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
