[Opendnssec-user] Question involving DS Records

Newman, Andrew newman-andy at yale.edu
Wed Nov 29 20:04:08 UTC 2017


I apologize if this is a bit naive but I have a question involving enabling DNSSEC for a very large a complex DNS structure. Right now I have hundreds of subdomains and thousands of resource records. The current structure has one zone per subdomain. I realize that this makes DNSSEC substantially more complex.

My question is whether there is a way to tell OpenDNSSEC that a series of zones are, in fact, "subzones" of a parent zone. My particular problem is that it doesn't appear that OpenDNSSEC automates the creation of DS records. Is there a way to? Today I am using a locally written script to update the unsigned parent zone(s) with DS records associated with the KSK of each subzone. Is there a better way to do this?



Andy Newman / newman-andy at yale.edu
Director, Infrastructure Design Services & Enterprise Architect
Yale University Information Technology Services
25 Science Park, 4th Floor
150 Munson St., New Haven, CT 06520
Phone: (203) 432-6696 / Fax: (203) 436-4067 / Cell: (203) 980-0031
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171129/d742a036/attachment.htm>

More information about the Opendnssec-user mailing list