Near the end of 2019 UltraDNS rolled out the ability to sign child domains with the same DNSSEC key as a parent domain. This only works in the web GUI located at portal.ultradns.com.
The process works as follows (using test zones as examples):
Step 1: Sign the child domain
Navigate to the DNSSEC tab of the child domain and click the Sign button. In my example the DS Resource Records assigned to rt.testzone.jp were:
50359 13 1 3B942BADB7A47296F73BAC100FE471F5C368CF92
50359 13 2 2C030D0A06E85D8AC5F2CD07F5329F3B80DD6C28358296F4564C34D736AC5A02
Copy these values to a text editor for later use (along with child domain name).
Step 2: Setup Delegation Signer in parent domain
Next we setup the signing relationship between parent and child domains. Go to the DS (Delegation Signer) section of the parent domain's records page. Click Add Record to view the configuration pop-up window. Note: since we use two DS Resource Records for signing that means two Delegation Signer records will be needed for each child domain. The settings will be as follow using my examples:
Delegation Signer (1):
Host: rt.testzone.jp.
Key Tag: 50359
Algorithm: ECDSA Curve P-256 with SHA-256 (13)
Digest Type: SHA-1 (1)
Digest: 3B942BADB7A47296F73BAC100FE471F5C368CF92
TTL: 86400
Delegation Signer (2):
Host: rt.testzone.jp.
Key Tag: 50359
Algorithm: ECDSA Curve P-256 with SHA-256 (13)
Digest Type: SHA-256 (2)
Digest: 2C030D0A06E85D8AC5F2CD07F5329F3B80DD6C28358296F4564C34D736AC5A02
TTL: 86400
Save both Delegation Signer records to put them into production.
Step 3: Signing parent to complete the process
The final step is signing the parent domain. Go to the DNSSEC tab of the parent and click Sign. At this point my example parent domain's DS Resource Records were:
4108 13 1 46C4068157F537ECF33F0A1F7DABC0FFD4F9ADAF
4108 13 2 CA9D89F9C2D7E5CCF01A6D23F9EF5EC11826EC484A0511F1066A29D194DFED15
The parent DS Resource Records are what will be provided to your domain registrar for TLD DNSSEC validation. Now if we navigate to the child domain's DNSSEC tab we will see that its DS Resource Records have been updated by the signing of the parent. My rt.testzone.jp DSRRs became:
52304 13 1 496CC24107C10B3A2E873114201B502E0D8D6086
52304 13 2 C62E207D8B1CA9AD86D25F56AC0D6FE6EBA434B098C4BFA2F4C60FCAF33084AB
Any changes made to either the parent or child zone files will automatically be signed by our on-the-fly DNSSEC signers. No further signing/re-signing on either UltraDNS or registrar will be needed.