Configuring DNSSEC for child domains

Jaap Winius jwinius at
Mon May 6 14:09:30 UTC 2013

Hi folks,

Setting up DNSSEC for a parent domain is relatively simple. The fiddly  
bit is probably where you have to figure out what your KSK is so that  
you can give it to your ISP. They can then create a DS record to  
verify a DNSKEY record in your domain and so complete the chain of  
trust. Check it out:

But what about doing this for your own child domains? My site runs  
Bind 9.8.4 on Debian wheezy. I thought that I would only have to copy  
the dsset-* file from the child domain's host to the host for the  
parent domain. There I added a line to the parent domain's zone file,  
"$INCLUDE" and then signed the parent zone. It  
seemed simple enough, but there are problems, so I guess I'm missing  
something. I've got three examples:


This says "RRSIG=55893 and DNSKEY=55893 does not verify the DS RRset  
(RSA Verification failed) / The DS RRset was not signed by any keys in  
the chain-of-trust" and "DS=0/SHA1 is published, but a corresponding  
DNSKEY is not / None of the 3 DNSKEY records could be validated by any  
of the 2 DS records"


This shows two DS records in the parent zone, one not secure and one  
bogus, and three DNSKEY records in the child zone, none of which are  


Fill in "" and it will also say that things are not  
right ("CHAIN CRITICAL: ... signature crypto failed from for  
DS while building chain of trust").

On the other hand, I've used dig to request the DS and DNSKEY records  

   ~# dig +dnssec -t DS
   ~# dig +dnssec -t DNSKEY

The responses to these commands seem okay, but perhaps this is not the  
best way to verify whether or not I have a problem.

So, what's going on here? Do I have a problem? If so, what have I  
possibly done wrong and/or what might I missing?



More information about the bind-users mailing list