01-23-2017 08:43 PM
Sorry before, i dont have a deep knowledge about how to implement the DNSSEC.
I would like to ask about the best way to use DNSSEC to a zone. So i have a challenge to enable DNSSEC to particular zone, say "abc.com". This zone has several subzones or subdomains, say "123.abc.com", "234.abc.com", and "345.abc.com". And some of these subzone also has a subzone, say "foo.123.abc.com".
All of these domain is on the same appliance. What i would to ask is, do i need to use DNSSEC ONLY to abc.com or do i need to sign to all of these domain ?
Solved! Go to Solution.
01-23-2017 08:55 PM
If you are building a chain of trust then the parent zone with need the fingerprint (DS record) of the child zone's Key Signing Key (ksk). Which would also be signed and the parent zone of that would have a DS for it and so on.
If it were me I'd create my island (a signed zone with no DS at the parent) first then start doing my tests. Once I was comfortable I'd start chaining upwards and doing more tests.
The good news is that infoblox makes this pretty easy if everything is managed in the same grid, it is automatic (for the most part). I say for the most part because the are design decisions that affect just how automatic stuff is, you should discuss with your SE the details unless your are RFC fluent.
Donald Rudder, CISSP
Principal Technical Account Manager
sent from mobile