[Opendnssec-user] Sub zones in opendnssec and DS keys

Sebastian Castro sebastian at nzrs.net.nz
Sun Aug 31 21:16:38 UTC 2014



On 30/08/14 4:09 am, Matthijs Mekking wrote:
> Hi Bas,
> 
> On 08/29/2014 02:24 PM, Bas van den Dikkenberg wrote:
>> Hi all,
>>
>>  
>>
>> I have 2 domain in my zone list of OpenDNSSEC, Test.domain.nl and domain.nl.
>>
>>  
>>
>> Test.domain.nl has to publish his DS records to domain.nl, does
>> OpenDNSSEC do this automatically ?
>>
>>  
>>
>> If not can OpenDNSSEC do this automatically ?
> 
> Unfortunately not at this moment.
> 
>> If not is there a good workaround for this ?
> 
> I don't know if there are users on the list who have experimented with
> this, but I guess you can make use of the following element in conf.xml:
> 
>     <DelegationSignerSubmitCommand/>
> 
> To configure the a program/script receiving the new KSK during a key
> rollover. In your script, you could distinguish different executions for
> domain.nl and test.domain.nl.

We do, although we don't do KSK rollover automatically because we need
to interact with IANA to complete the .nz rollover. Our script takes the
new KSK, generates DS records, and send it by email to an internal
address signed by PGP, which later is evaluated by a human and acted upon.

> 
> I can imagine that you want to concatenate the DS to the unsigned zone
> file domain.nl, issue ods-signer sign domain.nl, wait a bit to let the
> change propagate to your name servers and do a ds-seen for test.domain.nl
> 
> Hope these hints help.
> 
> Best regards,
>  Matthijs
> 

Cheers,
-- 
Sebastian Castro
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the Opendnssec-user mailing list