DNSSEC not populating parent zone files with DS records

Tony Finch dot at dotat.at
Mon Oct 3 13:26:17 UTC 2011

Bill Owens <owens at nysernet.org> wrote:
> However, in this case I believe your problem is the lack of NS records
> in nau.edu for extended.nau.edu. It's difficult to know for sure, but it
> appears that the only signature for the NS RRSET is using the ZSK for
> extended.nau.edu, not the ZSK for nau.edu.

This is normal. DNSSEC does not sign delegation RRsets (NS records and
glue A and AAAA records) because they are part of the child zone. DS
records are special because although they live at the name of the child
zone, they are considered part of the parent zone and are therefore signed
by the parent, which forms a link in the chain of trust.

For example,

<<>> DiG 9.9.0a2 <<>> +dnssec ns cam.ac.uk. @ns0.ja.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1490
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 9
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 4096
;cam.ac.uk.                     IN      NS

cam.ac.uk.              86400   IN      NS      authdns1.csx.cam.ac.uk.
cam.ac.uk.              86400   IN      NS      authdns0.csx.cam.ac.uk.
cam.ac.uk.              86400   IN      NS      dns1.cl.cam.ac.uk.
cam.ac.uk.              86400   IN      NS      bitsy.mit.edu.
cam.ac.uk.              86400   IN      NS      ns2.ic.ac.uk.
cam.ac.uk.              86400   IN      NS      dns0.eng.cam.ac.uk.
cam.ac.uk.              86400   IN      NS      dns0.cl.cam.ac.uk.
cam.ac.uk.              86400   IN      DS      5998 5 1 4FC806508D1FA1FE40AAF366A9180E052331D574
cam.ac.uk.              86400   IN      DS      5998 5 2 B398A3523E2D6A10C0C3B349FA7AD0639551950F2FBD9E82A6B69370 C2725548
cam.ac.uk.              86400   IN      RRSIG   DS 8 3 86400 20111029080710 20110929080710 20880 ac.uk. PjKjwnwTrMin9srEn5t+2LZhwRzndokxJit/0339LhaGhtrB7Mr7Jo5M 5D2nqYdJr2oo7LXIN90p1RLitHVQrP05B6G8jyjJZJhPB6UlWMfvdIuQ k+FClgxnvWLBraXLdVWGmrMbp08i63KoYnBbtWOJEmts9CPnKMXLOtji 1K8=

ns2.ic.ac.uk.           86400   IN      A
dns0.cl.cam.ac.uk.      86400   IN      A
dns0.eng.cam.ac.uk.     86400   IN      A
dns1.cl.cam.ac.uk.      86400   IN      A
authdns0.csx.cam.ac.uk. 86400   IN      A
authdns0.csx.cam.ac.uk. 86400   IN      AAAA    2001:630:212:8::d:a0
authdns1.csx.cam.ac.uk. 86400   IN      A
authdns1.csx.cam.ac.uk. 86400   IN      AAAA    2001:630:212:12::d:a1

;; Query time: 4 msec
;; SERVER: 2001:630:0:9::14#53(2001:630:0:9::14)
;; WHEN: Mon Oct  3 14:25:26 2011
;; MSG SIZE  rcvd: 601

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire: Southerly veering southwesterly 6 to gale 8,
occasionally severe gale 9 at first in northwest Viking. Moderate or rough
becoming very rough or high. Rain then squally showers. Moderate or good,
occasionally poor.

More information about the bind-users mailing list