[dns-operations] Reverse DNSSEC--delegating to a child

Joe Abley jabley at hopcount.ca
Mon Jul 23 22:16:05 UTC 2012

On 2012-07-23, at 18:06, McGhee, Karen (Evolver) wrote:

> Thanks Joe.  For my forward DNSSEC chain of trust, I copied my dsset-etc.uspto.gov. from my child on the etc.uspto.gov domain to the parent on uspto.gov domain.  So I would do the same for my two 252.207.151.in-addr.arpa and 254.207.151.in-addr.arpa zones?

Sounds like you're using BIND9.

The DS RRset that corresponds to the KSK in the 252.207.151.in-addr.arpa zone should be published in the 207.151.in-addr.arpa zone. If dnssec-signzone gives you a dsset-252.207.151.in-addr.arpa file, then chances are good that the contents are what you should paste into the 207.151.in-addr.arpa zone. Alternatively you can generate a DS set using the BIND9 tool "dnssec-dsfromkey".

Same thing goes for 252.207.151.in-addr.arpa.

The DS RRSet that corresponds to the KSK in the 207.151.in-addr.arpa zone needs to be published in the 151.in-addr.arpa zone, which is managed by the RIPE NCC. I have never actually needed to do this (and the nice RIPE NCC people on this list will surely correct me if I'm wrong) but I think you need to add a 207.151.in-addr.arpa domain object to the RIPE database and include one or more "ds-rdata" attributes, one corresponding to each DS record you want to publish. Happy to help off-line if that sounds mysterious and difficult.

There's no reverse DNS magic here, incidentally -- this stuff works the same in the "reverse" DNS as it does in the "forward" DNS. As far as the protocol is concerned, all you have are zones and delegations, and it really makes no difference whether the names concerned end in ".gov" or ".in-addr.arpa".


More information about the dns-operations mailing list