Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis


Accepted Solution

Best Practice to implementing DNSSEC

Posts: 9
5595     0

Hi Community,


Sorry before, i dont have a deep knowledge about how to implement the DNSSEC.

I would like to ask about the best way to use DNSSEC to a zone. So i have a challenge to enable DNSSEC to particular zone, say "abc.com". This zone has several subzones or subdomains, say "123.abc.com", "234.abc.com", and  "345.abc.com". And some of these subzone also has a subzone, say "foo.123.abc.com".

All of these domain is on the same appliance. What i would to ask is, do i need to use DNSSEC ONLY to abc.com or do i need to sign to all of these domain ?





Re: Best Practice to implementing DNSSEC

Posts: 45
5596     0
It depends on your goals, but any zone or child zone is signed independently of other zones except in relation to making a chain of trust..

If you are building a chain of trust then the parent zone with need the fingerprint (DS record) of the child zone's Key Signing Key (ksk). Which would also be signed and the parent zone of that would have a DS for it and so on.

If it were me I'd create my island (a signed zone with no DS at the parent) first then start doing my tests. Once I was comfortable I'd start chaining upwards and doing more tests.

The good news is that infoblox makes this pretty easy if everything is managed in the same grid, it is automatic (for the most part). I say for the most part because the are design decisions that affect just how automatic stuff is, you should discuss with your SE the details unless your are RFC fluent.


Donald Rudder, CISSP
Principal Technical Account Manager
sent from mobile
Showing results for 
Search instead for 
Do you mean 

Recommended for You