Greetings:


I apologize if this is a bit naive but I have a question involving enabling DNSSEC for a very large a complex DNS structure. Right now I have hundreds of subdomains and thousands of resource records. The current structure has one zone per subdomain. I realize that this makes DNSSEC substantially more complex.


My question is whether there is a way to tell OpenDNSSEC that a series of zones are, in fact, "subzones" of a parent zone. My particular problem is that it doesn't appear that OpenDNSSEC automates the creation of DS records. Is there a way to? Today I am using a locally written script to update the unsigned parent zone(s) with DS records associated with the KSK of each subzone. Is there a better way to do this?


-Thanks,


/Andy



Andy Newman / newman-***@yale.edu
Director, Infrastructure Design Services & Enterprise Architect
Yale University Information Technology Services
25 Science Park, 4th Floor
150 Munson St., New Haven, CT 06520
Phone: (203) 432-6696 / Fax: (203) 436-4067 / Cell: (203) 980-0031
EmRGLWhN15xH9XzQAK3gtpNrMknKCZWPmVJbzNhfdobw7