[Pdns-users] Impact of DNSSEC with Sub Domain Zones

Peter van Dijk peter.van.dijk at powerdns.com
Tue Feb 26 17:00:51 UTC 2019

On 26 Feb 2019, at 5:43, Asanka Gunasekara wrote:

> I'm sure this is a pretty dumb question but my knowledge on DNSSEC is 
> very limited so hope you guys/gals can help me out.
> We use PowerDNS as our Authorative DNS and everything is configured 
> here. We use PowerDNS-Admin 
> [https://github.com/ngoduykhanh/PowerDNS-Admin] as our GUI.
> I have our primary domain: domain.com and it is split up into several 
> sub-domain zones for ease of management.
> Eg:
> Zone1 - domain.com
> Zone2 - sub1.domain.com
> Zone3 - sub2.domain.com
> Q1) If I enable DNSSEC between Zone1 above and domain registrar, would 
> zones 2 and 3 stop functioning?

They will keep working, but in insecure mode, as long as there is a 
correct delegation (NS records for Zone2 and Zone3) in Zone1.

> Q2) How do I enable DNSSEC on sub zones?

For Zone1, you presumably enabled DNSSEC in your Admin and then sent the 
DNSKEY or DS to the parent operator (.com), who then puts a DS in that 
parent zone. For Zone2 and Zone3, you are the parent operator, so enable 
DNSSEC, and then put the DS records in Zone1.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the Pdns-users mailing list