[dns-operations] Reverse DNSSEC--delegating to a child

McGhee, Karen (Evolver) Karen.Mcghee at USPTO.GOV
Mon Jul 23 22:06:14 UTC 2012 

Thanks Joe.  For my forward DNSSEC chain of trust, I copied my dsset-etc.uspto.gov. from my child on the etc.uspto.gov domain to the parent on uspto.gov domain.  So I would do the same for my two 252.207.151.in-addr.arpa and 254.207.151.in-addr.arpa zones?

-----Original Message-----
From: Joe Abley [mailto:jabley at hopcount.ca] 
Sent: Monday, July 23, 2012 6:00 PM
To: McGhee, Karen (Evolver)
Cc: 'dns-operations at lists.dns-oarc.net'
Subject: Re: [dns-operations] Reverse DNSSEC--delegating to a child

Hi Karen,

On 2012-07-23, at 17:44, McGhee, Karen (Evolver) wrote:

> I am about to implement reverse dnssec.  I'm authoritative for zone 207.151.in-addr.arpa, and I delegate two /24s to a child server on etc.uspto.gov like so:
>  
> $TTL 7200
> @       IN      SOA     dns1.uspto.gov. nmb.uspto.gov. (
>                 2012072100      ; serial number yyyy/mm/dd/## format
>                 10800           ; refresh after 3 hours
>                 3600            ; retry after 1 hour
>                 604800          ; expire after 1 week
>                 86400   )       ; minimum TTL of 1 day
>  
>         IN      NS      dns1.uspto.gov.
>         IN      NS      dns2.uspto.gov.
>  
> 
> 252     86400   IN      NS      etc-dns1.etc.uspto.gov.
> 254     86400   IN      NS      etc-dns1.etc.uspto.gov.
> 
> On my child, must I create two separate zone files:  252.207.151.in-addr.arpa and 254.207.151.in-addr.arpa?  Or can I have the same zone 207.151.in-addr.arpa as on the parent? 

Create the two child zones that you mentioned.

When you have signed 207.151.in-addr.arpa and are confident that it validates correctly, you will need to get a DS record published in the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE NCC, and so you will need to talk to them.

When each of your child zones is signed, you take one or more DS records from each child zone and publish them in the 207.151.in-addr.arpa zone along with the NS records.

There is no need to do these in order (in the sense that nothing will break if you do these two steps in a different order), but you will need a secure delegation from 151.in-addr.arpa to 207.151.in-addr.arpa before secure delegations from the 207.151.in-addr.arpa zone to your children are useful (assuming validators that carry just a root zone trust anchor).


Joe

More information about the dns-operations mailing list