Results 1 to 9 of 9

Thread: DNSSEC - subdomain zones

  1. #1
    Join Date
    Nov 2015
    Posts
    15

    DNSSEC - subdomain zones

    Hi,

    I have a weird problem. I have this setup of 4 DA servers. Three of them act as nameservers, so the fourth pushes his DNS changes to the other three with the multi server option.

    Every server has a hostname like server.buggedbrain.com, all is fine so far. Now, the main dns zone is signed (buggedbrain.com), so I needed to sign the other hostname zones (created by directadmin on setup) also. This all works, the DS records got added to the main zone and when I verify this with a dnssec verifier it al checks out.

    Now, there is one subzone that disappears when it get's resigned.. The other DS records get updated, but the records from one server always disappear when they get resigned.. Any idea where I have to look for a solution? Or any idea why this is happening?

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    Hello,

    Do you sign hostnames from one main server?

  3. #3
    Join Date
    Nov 2015
    Posts
    15
    Hi,

    Yes, I sign them all from the same server, as hostname zone's don't change I see no problem in this (and otherwise the 'main' server wouldn't be able to access them correctly, no?).

    I added a picture of the DS records, only the records from one server called 'poseidon' keep disappearing when the hostname zone get's resigned.

    Also, when I set this all up, the DS records got added automatically when I created keys for the hostname zones, so I clicked on 'Generate keys' and then they got signed too, I didn't have to click on 'Sign' like with 'normal' domains, but this is because the 'root' zone (buggedbrain.com) was already signed I suppose?

    Should I delete the hostname zone for poseidon.buggedbrain.com and re-add it maybe?
    Attached Images Attached Images

  4. #4
    Join Date
    Nov 2015
    Posts
    15
    Searched some more here on the forum, and as far as I can tell DA should do this automatically ( https://www.directadmin.com/features.php?id=1904 )

    I deleted the zone (poseidon.buggedbrain.com), and added it again (it generated keys and got signed as expected). The ns records got added to the buggedbrain.com zone but the DS records not... For the other subdomain zones it is working like expected... Not sure why he fails on poseidon...

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    Checked logs for possible errors related to poseidon.buggedbrain.com?

    Did you try to create anything like
    poseidon2.buggedbrain.com or poceidon.buggedbrain.com, poseidom.buggedbrain.com... ? What results did you have?

  6. #6
    Join Date
    Nov 2015
    Posts
    15
    Alright, did some testing. The log I need to check is the 'System messages' in the log viewer, right? Named doesn't seem to log anywhere else (except in /var/named/data/named.run, but the messages are the same as in the system messages log). I found no error messages.

    I tested with some names,

    these succeeded:
    - c0005.buggedbrain.com
    - party.buggedbrain.com
    - porty.buggedbrain.com

    These failed:
    - poceidon.buggedbrain.com
    - poseidom.buggedbrain.com
    - abcdefgh.buggedbrain.com

    Is it possible this has something to do with the length? Because the shorter names succeed, the longer ones fail. But only for the DS records, the NS records always get inserted correctly..

  7. #7
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    Tested on my end on CentOS 6, DS records were added fine for poseidon.****cmstemplates.ru into it's parent DNS zone.


    Probably somebody could test it for you on a FreeBSD server, or you need to open a ticket with DA support team.

  8. #8
    Join Date
    Nov 2015
    Posts
    15
    I'll open a ticket. I'm on Centos 7. Thanks for testing.

  9. #9
    Join Date
    Nov 2015
    Posts
    15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •