Re: DNSSEC: give KSK from my domain to parent zones
You give the matching DS record via your registrar much the same way as you do the NS RRset or glue address records. If your registrar doesn’t support DNSSEC you will need to change registrars. If your parent zone uses CDS or CDNSKEY then publish those records at the zone apex. If your parent zone is not signed then start complaining. -- Mark Andrews > On 4 Oct 2018, at 05:24, Roberto Carna wrote: > > Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's say > COM and UK ??? > > And what if COM or UK don't use DNSSEC at all ??? > > Thanking in advance, > > Robert > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: give KSK from my domain to parent zones
On 03/10/2018 21:24, Roberto Carna wrote: Hi Roberto, > Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's > say COM and UK ??? Typically, you won't submit the KSK, but a hash of it, called a DS record. You can generate a DS record using the dnssec-dsfromkey tool, which is part of BIND. Your domain will be registered through some registrar. You need to log into your registrar's web interface, and submit your DS record through that interface. They will transmit the DS record to the COM or UK registry which will publish the DS record. > And what if COM or UK don't use DNSSEC at all ??? Well, COM and UK *are* signed. But if the parent isn't signed, then there's no point in publishing DS records, because there's no way to validate the chain of trust. In fact, in general unsigned parent zones will not even accept DS records. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC: give KSK from my domain to parent zones
Dear people, I have DNSSEC implemented in my authoritative domain in BIND 9.10. I've created the KSK and ZSK too. Let's say my domain is "robert.com.uk". How do I have to give the KSK (key signing key) to my parent zones, let's say COM and UK ??? And what if COM or UK don't use DNSSEC at all ??? Thanking in advance, Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users