[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: DNSSEC
From: Mark Andrews <Mark_Andrews () isc ! org>
Date: 2006-11-27 23:48:56
Message-ID: 200611272348.kARNmuGj000493 () drugs ! dv ! isc ! org
[Download RAW message or body]
> How do I preserve the chain of trust if I happen to run 2 zones within
> the same DNS server with DNSSEC (running Bind 9.3.3)
>
> zone 1: example.com (signed with a KSK)
> zone 2: myzone.example.com (signed with a KSK)
>
> Do I need to include anything on the "example.com" zone in order to
> enable the trust? Or, do I need to sign the example.com zone with
> another parameter?
>
> Do I need to add the DS RR record with something like "$include
> dsset-myzone.example.com" on the "example.com" zone?
>
> Mike
You can either add them with $include or have dnssec-signzone
create them from the keyset files with '-g'. Note these methods
are mutually exclusive and apply for all children.
# create zone signing key and key signing key.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE myzone.example.com
dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE myzone.example.com
# add keys to raw zone.
cat myzone.example.com.raw Kmyzone.example.com*.key \
> myzone.example.com.unsigned
# sign the resulting zone.
dnssec-signzone -o myzone.example.com -f myzone.example.com.db \
myzone.example.com.unsigned
# create zone signing key and key signing key.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE example.com
# add keys to raw zone.
cat example.com.raw Kxample.com*.key > myzone.example.com.unsigned
# look for chid keysets in the current directory and sign the zone
dnssec-signzone -g -o example.com -f example.com.db example.com.unsigned
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic