Adding DS record to parent in DNS

domain-name-system nameserver dnssec
14,164

The problem is exactly per the quoted text.

Validation of DNSSEC-signed data requires either:

  1. a complete chain of trust from the root zone down to your own, or
  2. configuration of a specific 'trust anchor' for your zone

In most cases, now that the root is actually signed, the former is preferred. You have a DNSKEY in your zone, and you should submit a DS record to your parent zone adminstrators. They then sign that record with their own key, and similarly their own DS records get sent to their parent zone, which might be the root.

This does however require that every level of the DNS between your domain and the root also has DNSSEC.

What is your domain? It's quite possible that your parent domain doesn't yet support DNSSEC.

If they don't, then the next best option is to submit your DS record to ISC's "DLV" repository. This is a well supported DNS feature which allows for secure distribution of trust anchors for domains that don't yet have a fully secure chain of trust all of the way to the "root". Adding your record there will allow other people to validate your domain name.

EDIT ISC's DLV is no longer in operation.

Share:
14,164

Related videos on Youtube

Bob Whitelock
Author by

Bob Whitelock

I am a Full Stack Web Developer with industry experience building websites and web applications. I specialize in JavaScript and have professional experience in working with PHP, Symfony, NodeJS, React, Redux and Apollo GraphQL. To ensure high quality and standards I have extensive knowledge on CI/CD pipelines such as GitLab CI and testing frameworks such as JUnit, PHPUnit and Cypress.

Updated on September 17, 2022

Comments

  • Bob Whitelock
    Bob Whitelock almost 2 years

    I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error:

    DNSKEY found at child, but no DS was found at parent.

    Check for DS records in parent zone

    We found that none of your DNSKEY records are published at parent. All KSKs (Key Signing Keys) should have a corresponding DS record containing the digest of the key at the parent zone.

    Recommendation
    Publish DS records for all your DNSKEY (KSK) records in parent DNS zone. This will establish a chain of trust from the parent to your zone.

    Anyone know what the problem could be?

    I am using webmin for my BIND configuration and it has an option called dnssec verification and I think its done via https://dlv.isc.org/.

    I made a screenshot for this:

    alt text

  • Alnitak
    Alnitak almost 14 years
    The .net zone isn't signed yet (due 4Q2010 I believe). In the meantime you could submit your DS record to ISC's "DLV" - this is a centralised trust anchor repository. dlv.isc.org
  • Bob Whitelock
    Bob Whitelock almost 14 years
    Ok yes I am pretty sure this is the thing I should do. I use Webmin as a hosting package and it has an option called 'DNSSEC Verification'. It is an option on the main screen of the BIND configuration. It was enabled already, and it has some settings in it already, it had some lines poiting to 'dlv.isc.org'. I have no clue what to do with it though. I will make a screenshot, and maybe you can help me out with it. thanks!
  • Alnitak
    Alnitak almost 14 years
    Those webmin settings only control your own local recursive resolver. Adding your DS to DLV (and to .net, when they're ready) will allow other people to validate your zone. Ignore the previously reported error ("no DS in parent") unless it's preventing you from publishing your zone.
  • Bob Whitelock
    Bob Whitelock almost 14 years
    So if I understand you correctly I should just leave everything as it is and just ignore the error messages. The error does not give me any other problems however, I would like it to be secured. Or should I still send something to DLV? I see some people using ZoneSigner to publish the key, should I do that or did webmin already do it for me.
  • Alnitak
    Alnitak almost 14 years
    yup, just ignore the error, and send your DS to the DLV so other people can validate it. Once .net is signed you can send your DS there instead and remove it from DLV.
  • Alnitak
    Alnitak almost 14 years
    If you have shell access, use dnssec-dsfromkey to get your DS record. Then register on dlv.isc.org and follow their instructions.
  • Omid Kosari
    Omid Kosari almost 11 years
    and how do i submit DS to .com zone ?
  • Alnitak
    Alnitak almost 11 years
    @OmidKosari ask your domain registrar. If they can't help you, find a new registrar that can.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the recommend procedure for changing nameservers with DNSSEC enabled?
How to block domains using Bind / Named for local protection?
Configuring Bind for serving as nameserver for multiple domains
DNS servfail error
domain/IN: has no NS records
Internal DNS server but can't access externally hosted website
Dynamic IP and MX Record
Setting up nameserver - bind [FreeBSD]
How do i Setup a Mac OS X Server - NameServer behind an Airport Extreme?
DNS resolution problems; dig SERVFAIL error