DNSSEC not populating parent zone files with DS records

Bill Owens owens at nysernet.org
Sat Oct 1 11:54:31 UTC 2011

On Fri, Sep 30, 2011 at 10:26:34PM +0000, Raymond Drew Walker wrote:
> In our initial implementation of DNSSEC, we chose to try out the "auto"
> functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in
> all master zones.
> When going live, we found that though all zones that we are acting as
> master for would populate their own DS records, but there would be no
> population of a child zone's DS record in the corresponding parent master
> zone file. 

The ARM for 9.8.1 has this to say about dnssec-signzone:

"Any keyset files corresponding to secure subzones should be present. The zone signer will generate NSEC, NSEC3 and RRSIG records for the zone, as well as DS for the child zones if '-g' is specified. If '-g' is not specified, then DS RRsets for the secure child zones need to be added manually."

I take that to mean that if I have a pair of zones served by the same master, dnssec-signzone will figure out the relationship and install DS records in the parent zone. However, that assumes two things - that both zones are on the same master (as seems to be the case for you), and that there are NS records in the parent to provide a delegation point (which doesn't seem to be true for nau.edu and extended.nau.edu, at least). 

I couldn't tell whether this also applies to auto-dnssec; either the ARM doesn't say or I missed it ;) 

> We have since backed out DNSSEC until we can get a resolution of the issue.

Incidentally, you haven't - you're still serving a signed zone for nau.edu and extended.nau.edu, which causes the problems noted in the other responses to your original note. I think you could fix it very quickly though, by adding the NS records to the nau.edu zone. 


More information about the bind-users mailing list