[Pdns-users] Impact of DNSSEC with Sub Domain Zones

frank+pdns at tembo.be frank+pdns at tembo.be
Fri Mar 8 08:22:02 UTC 2019 

Hi Asanka,

> Hi All,
> 
> Just want to give you all an update on how this went as I ran into issues with this implementation.
> 
> What I did first:
> Enabled DNSSEC on primary domain (domain.com <http://domain.com/>)
> Added DS Records to domain registrar.
> What worked: All DNS records under the primary zone worked and resolved without any issues.
> What broke : All subdomain DNS zones failed to resolve.


What would have worked, is adding NS records in your domain.com <http://domain.com/> zone for the subdomains.domain.com <http://subdomains.domain.com/>. Even if they aren’t signed.

Frank


> 
> Kind Regards,
> Asanka Gunasekara
> 
> P: 1300 825 587
> E: support at talkup.com.au <http://talkup.com.au/> | W: www.talkup.com.au <http://www.talkup.com.au/>
> Postal Address: PO Box 24, Varsity Lakes QLD 4227
> 
> Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.
>> On 5/03/2019 11:24:27 AM, Asanka Gunasekara <asankag at talkup.com.au <mailto:asankag at talkup.com.au>> wrote:
>> 
>> Hi Peter,
>> 
>> Thanks for information. I have done just that :)
>> 
>> Kind Regards,
>> Asanka
>> 
>> Kind Regards,
>> Asanka Gunasekara
>> 
>> P: 1300 825 587
>> E: support at talkup.com.au <http://talkup.com.au/> | W: www.talkup.com.au <http://www.talkup.com.au/>
>> Postal Address: PO Box 24, Varsity Lakes QLD 4227
>> 
>> Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.
>>> On 26/02/2019 10:31:10 PM, Peter van Dijk <peter.van.dijk at powerdns.com <mailto:peter.van.dijk at powerdns.com>> wrote:
>>> 
>>> Hello
>>> On 26 Feb 2019, at 5:43, Asanka Gunasekara wrote:
>>> 
>>> > I'm sure this is a pretty dumb question but my knowledge on DNSSEC is 
>>> > very limited so hope you guys/gals can help me out.
>>> >
>>> > We use PowerDNS as our Authorative DNS and everything is configured 
>>> > here. We use PowerDNS-Admin 
>>> > [https://github.com/ngoduykhanh/PowerDNS-Admin <https://github.com/ngoduykhanh/PowerDNS-Admin>] as our GUI.
>>> >
>>> > I have our primary domain: domain.com <http://domain.com/> and it is split up into several 
>>> > sub-domain zones for ease of management.
>>> > Eg:
>>> > Zone1 - domain.com <http://domain.com/>
>>> > Zone2 - sub1.domain.com <http://sub1.domain.com/>
>>> > Zone3 - sub2.domain.com <http://sub2.domain.com/>
>>> >
>>> > Q1) If I enable DNSSEC between Zone1 above and domain registrar, would 
>>> > zones 2 and 3 stop functioning?
>>> 
>>> They will keep working, but in insecure mode, as long as there is a 
>>> correct delegation (NS records for Zone2 and Zone3) in Zone1.
>>> 
>>> > Q2) How do I enable DNSSEC on sub zones?
>>> 
>>> For Zone1, you presumably enabled DNSSEC in your Admin and then sent the 
>>> DNSKEY or DS to the parent operator (.com), who then puts a DS in that 
>>> parent zone. For Zone2 and Zone3, you are the parent operator, so enable 
>>> DNSSEC, and then put the DS records in Zone1.
>>> 
>>> Kind regards,
>>> -- 
>>> Peter van Dijk
>>> PowerDNS.COM <http://powerdns.com/> BV - https://www.powerdns.com/ <https://www.powerdns.com/>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> 
> 
>  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>	Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> <x-msg://28/#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>_______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190308/612e3145/attachment.html>

More information about the Pdns-users mailing list