[dns-operations] Reverse DNSSEC--delegating to a child

Joe Abley jabley at hopcount.ca
Mon Jul 23 21:59:35 UTC 2012

Hi Karen,

On 2012-07-23, at 17:44, McGhee, Karen (Evolver) wrote:

> I am about to implement reverse dnssec.  I'm authoritative for zone 207.151.in-addr.arpa, and I delegate two /24s to a child server on etc.uspto.gov like so:
> $TTL 7200
> @       IN      SOA     dns1.uspto.gov. nmb.uspto.gov. (
>                 2012072100      ; serial number yyyy/mm/dd/## format
>                 10800           ; refresh after 3 hours
>                 3600            ; retry after 1 hour
>                 604800          ; expire after 1 week
>                 86400   )       ; minimum TTL of 1 day
>         IN      NS      dns1.uspto.gov.
>         IN      NS      dns2.uspto.gov.
> 252     86400   IN      NS      etc-dns1.etc.uspto.gov.
> 254     86400   IN      NS      etc-dns1.etc.uspto.gov.
> On my child, must I create two separate zone files:  252.207.151.in-addr.arpa and 254.207.151.in-addr.arpa?  Or can I have the same zone 207.151.in-addr.arpa as on the parent? 

Create the two child zones that you mentioned.

When you have signed 207.151.in-addr.arpa and are confident that it validates correctly, you will need to get a DS record published in the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE NCC, and so you will need to talk to them.

When each of your child zones is signed, you take one or more DS records from each child zone and publish them in the 207.151.in-addr.arpa zone along with the NS records.

There is no need to do these in order (in the sense that nothing will break if you do these two steps in a different order), but you will need a secure delegation from 151.in-addr.arpa to 207.151.in-addr.arpa before secure delegations from the 207.151.in-addr.arpa zone to your children are useful (assuming validators that carry just a root zone trust anchor).


More information about the dns-operations mailing list