* Max Tulyev wrote:
So as I can understand, to fully inplement DNSSEC on my named's I have to get ALL keys for ALL signed zones and premanently trace all of them if it is not expired, isn't it?
Your are mostly right. You do not need (and should not care about) the key of chained zones, i.e. zone, that have a DS record in the signed parent zone. In those cases you only need the key of the topmost signed zone. In order to keep the maintaining effort as small as possible, several TLD offer a seperate DNS-server which hosts signed subzones. Such servers are available for *.fr, *.net and *.com. The *.se zone is signed using the standard DNS servers. Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones. It's up to you. Good luck.