So working through literature and tutorials DNSSEC is fairly straight forward. I sign a zone and hand the DS records to the parent zone, which in basic tutorials is your registrar thus completing the chain.
I want to take this a bit further and be able to delegate different sub domains. My understanding is that these sub domains will have to sign their zone and then give its parent zone the DS records. My question is, whenever a sub domain signs its zone do I need to take those DS records and update the parent zone then resign the parent zone and so on until I make my way up the chain?
For example this is my current understanding:
- I register a domain, example.com
- I delegate a zone production.example.com. I sign the zone and give the DS records to example.com
- At some later date in the future I delegate a zone within production.example.com called service1.production.example.com. I sign service1.production.example.com then pass the DS records to production.example.com. Then I resign production.example.com pass its new DS records to example.com.
Is this the correct interpretation?