Configuring DNSSEC for child domains
Jaap Winius
jwinius at umrk.nl
Mon May 6 14:09:30 UTC 2013
Hi folks,
Setting up DNSSEC for a parent domain is relatively simple. The fiddly
bit is probably where you have to figure out what your KSK is so that
you can give it to your ISP. They can then create a DS record to
verify a DNSKEY record in your domain and so complete the chain of
trust. Check it out:
http://dnsviz.net/d/dapadam.nl/dnssec/
But what about doing this for your own child domains? My site runs
Bind 9.8.4 on Debian wheezy. I thought that I would only have to copy
the dsset-* file from the child domain's host to the host for the
parent domain. There I added a line to the parent domain's zone file,
"$INCLUDE dsset-zuid.dapadam.nl." and then signed the parent zone. It
seemed simple enough, but there are problems, so I guess I'm missing
something. I've got three examples:
1.) http://dnssec-debugger.verisignlabs.com/zuid.dapadam.nl
This says "RRSIG=55893 and DNSKEY=55893 does not verify the DS RRset
(RSA Verification failed) / The DS RRset was not signed by any keys in
the chain-of-trust" and "DS=0/SHA1 is published, but a corresponding
DNSKEY is not / None of the 3 DNSKEY records could be validated by any
of the 2 DS records"
2.) http://dnsviz.net/d/zuid.dapadam.nl/dnssec/
This shows two DS records in the parent zone, one not secure and one
bogus, and three DNSKEY records in the child zone, none of which are
secure.
3.) http://www.dnssecmonitor.org/
Fill in "zuid.dapadam.nl" and it will also say that things are not
right ("CHAIN CRITICAL: ... signature crypto failed from 127.0.0.1 for
DS zuid.dapadam.nl. while building chain of trust").
On the other hand, I've used dig to request the DS and DNSKEY records
involved:
~# dig +dnssec -t DS noord.dapadam.nl
or
~# dig +dnssec -t DNSKEY noord.dapadam.nl
The responses to these commands seem okay, but perhaps this is not the
best way to verify whether or not I have a problem.
So, what's going on here? Do I have a problem? If so, what have I
possibly done wrong and/or what might I missing?
Thanks,
Jaap
More information about the bind-users
mailing list