A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
| Anchor | ||||
|---|---|---|---|---|
|
A
Aserver3.nw.sales.corp100.com
ftp1.nw.sales.corp100.comRRSIG A 5 2 86400....
DNSKEY256
DNSKEY257A
A A
RRSIG DS DNSKEY DNSKEYserver1.corp100.com
ftp.corp100.com sales.corp100.comA
A RRSIG DSAserver2.sales.corp100.com
ftp1.sales.corp100.com 5 2 86400....A 5
25924
256
2572 86400....
51DNSKEY
DNSKEY25854 5
256
2571corp100.comsales.corp100.comnw.sales.corp100.com
Following is an example of the DS RR:
corpxyz.com86400IN DS25924 5 1 49D2801B50E25D59440F1FF1A8012B568435
B622B1F8709F33D744C4C6D71EA2
Owner Name
TTL ClassRR Type
Key Tag
Algorithm
Digest Type Digest
HERE AN IMAGE MISSED
The first four fields specify the owner name, TTL, class and RR type. The succeeding fields are as follows:
...
- Digest: If SHA-1 is the digest type, this field contains a 20 octet digest. If SHA-256 is the digest type, this field contains a 32 octet digest.
1012NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring DNSSEC on a Grid