DNSSEC - subdomain zones

Nickske00

Verified User
Joined
Nov 30, 2015
Messages
90
Hi,

I have a weird problem. I have this setup of 4 DA servers. Three of them act as nameservers, so the fourth pushes his DNS changes to the other three with the multi server option.

Every server has a hostname like server.buggedbrain.com, all is fine so far. Now, the main dns zone is signed (buggedbrain.com), so I needed to sign the other hostname zones (created by directadmin on setup) also. This all works, the DS records got added to the main zone and when I verify this with a dnssec verifier it al checks out.

Now, there is one subzone that disappears when it get's resigned.. The other DS records get updated, but the records from one server always disappear when they get resigned.. Any idea where I have to look for a solution? Or any idea why this is happening?
 
Hi,

Yes, I sign them all from the same server, as hostname zone's don't change I see no problem in this (and otherwise the 'main' server wouldn't be able to access them correctly, no?).

I added a picture of the DS records, only the records from one server called 'poseidon' keep disappearing when the hostname zone get's resigned.

Also, when I set this all up, the DS records got added automatically when I created keys for the hostname zones, so I clicked on 'Generate keys' and then they got signed too, I didn't have to click on 'Sign' like with 'normal' domains, but this is because the 'root' zone (buggedbrain.com) was already signed I suppose?

Should I delete the hostname zone for poseidon.buggedbrain.com and re-add it maybe?
 

Attachments

  • directadmin-problem.png
    directadmin-problem.png
    10.8 KB · Views: 31
Searched some more here on the forum, and as far as I can tell DA should do this automatically ( https://www.directadmin.com/features.php?id=1904 )

I deleted the zone (poseidon.buggedbrain.com), and added it again (it generated keys and got signed as expected). The ns records got added to the buggedbrain.com zone but the DS records not... For the other subdomain zones it is working like expected... Not sure why he fails on poseidon...
 
Checked logs for possible errors related to poseidon.buggedbrain.com?

Did you try to create anything like
poseidon2.buggedbrain.com or poceidon.buggedbrain.com, poseidom.buggedbrain.com... ? What results did you have?
 
Alright, did some testing. The log I need to check is the 'System messages' in the log viewer, right? Named doesn't seem to log anywhere else (except in /var/named/data/named.run, but the messages are the same as in the system messages log). I found no error messages.

I tested with some names,

these succeeded:
- c0005.buggedbrain.com
- party.buggedbrain.com
- porty.buggedbrain.com

These failed:
- poceidon.buggedbrain.com
- poseidom.buggedbrain.com
- abcdefgh.buggedbrain.com

Is it possible this has something to do with the length? Because the shorter names succeed, the longer ones fail. But only for the DS records, the NS records always get inserted correctly..
 
Tested on my end on CentOS 6, DS records were added fine for poseidon.****cmstemplates.ru into it's parent DNS zone.


Probably somebody could test it for you on a FreeBSD server, or you need to open a ticket with DA support team.
 
Back
Top