DNSSEC operations

Eugene Tsuno - NOAA Affiliate eugene.tsuno at noaa.gov
Wed Dec 16 19:33:37 UTC 2020


We use a stealth mode to update records to a DNSSEC site, so I don't need
to run DNSSEC.

One of our group needs a delegation to deploy and thing and it needs to be
DNSSEC'ed.  So that groups NS servers should be able to "join" the upper
domain DNSSEC servers as a subdomain.

Just by reading, the delegated/subdomain server needs to generate a DS key
and have it added to the config of the higher server.  The group that owns
the upper servers says they need to do other periodic things to make this
work.  My reading indicates that the DS key doesn't expire.

So do those who have subdomains delegated have to regenerate DS keys ever?
Or is it a one time thing?  Since most children have a parent, I can't
believe it is a manual or recurring thing.

I am going to profile this by deploying my own servers to test things but
I'd like to know the answer before I start.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201216/8b1ea63e/attachment.html>


More information about the dns-operations mailing list