I am new to DNS. I am trying to set up public authoratative dns servers for a dot net domain using Knot dns.
Generally the documentation is pretty clear, but when it comes to DNSSEC it is confusing.
So assume the domain is example.net.
There are two nameservers - bob.example.net alice.example.net
bob is the master and alice is the slave. They both work in the test environment, in that they correctly answer queries and changes in bob replicate onto alice.
I now want to set up DNSSEC, with knot's auto signing, and I have some questions not answered by the documentation and all the howtos on line refer to setting up a private authoratative network for an internal domain.
Question 1: Do you just configure the DNSSEC setup on the master (ie bob), which seems to be what the knot documentation says
- If so how does alice become aware of the keys?
- Will it just propage automatically or do I have to copy the setup over manually?
Question 2: Automatic key management. The documentation talks about about propagating the CDS and CDNSKEY records to 'the parent' and gives an example configuration. But in the example it gives a non-routeable address (192.168.12.1), so the question is:
- what is the correct parent for a dot net domain - is it at my registrar or is there a particular address for specific top level domains (.net)?
- Is there a relevant RFC?
Thanks
0 Answers