Jump to first page
 -48
Delegating Signing Authority
nParent signs the DS record pointing to the key signing key

$ORIGIN net.

kids NS   ns1.kids
     DS  (É) 1234
     SIG DS (É)net.

money NS   ns1.money
      DS   (É)
      SIG DS (É)net.
$ORIGIN kids.net.

@ NS   ns1
  SIG NS (É) kids.net.
  KEY (É)  (1234)
  KEY (É)  (3456)
  SIG key É 1234 kids.net. É
  SIG key É 3456 kids.net. É
    
beth  A  127.0.10.1
      SIG A (É) 3456 kids.net. É
ns1   A  127.0.10.3
      SIG A (É)  3456 kids.net. É
¥ The parent is authoritative for the DS RR of its children
Zone signing key
Key signing key
Note that this is not the RFC2535 view.

Note that the NS records in the ÔnetÕ zone are not signed. The .net zone is not authoritative for these NS records, hey are just used for referrals.