DNSSEC DS records godaddy

[ssgill]

Hello, i just enabled dnssec on my site. All done at the server and adding info at godaddy. I don't have their premium dnssec management so have to enter them manually as DS records.

According to godaddy i need to enter this information for self managed dnssec

When i enter all the required info i get error :

the zone for selected domain does not contain valid zsk record

The bar on top has check and green line and at the bottom they have check box with ok and following disclaimer

To Override the Error and Confirm the Entries — Select I understand that that continuing with errors..., and then click OK.
Your website might not resolve if you store the invalid DS record information.

Not sure what to do next, any help would be appreciated.

Thanks

 

[zEitEr]

Hello,

Check your domains here: http://dnssec-debugger.verisignlabs.com/ and here: http://dnsviz.net/

Probably it will help you to find what is wrong.

 

[ssgill]

Thanks Alex for quick reply.

Checked on verisign labs, have not update record on godaddy yet. Here is the result

Found 3 DNSKEY records for .
DS=19036/SHA-1 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset

com

Found 1 DS records for com in the . zone
Found 1 RRSIGs over DS RRset
RRSIG=46551 and DNSKEY=46551 verifies the DS RRset
Found 2 DNSKEY records for com
DS=30909/SHA-256 verifies DNSKEY=30909/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=30909 and DNSKEY=30909/SEP verifies the DNSKEY RRset

domain.com

No DS records found for domin.com in the com zone
No DNSKEY records found
domain.com A RR has value 2XX.XXX.XXX.XXX
No RRSIGs found

 

[zEitEr]

Correct me if I'm wrong. So you face an issue to add the keys at Godaddy?

 

[ssgill]

Yes, i was getting above error. Just to test i went ahead and added the info that i had to DS section of godaddy.
Tested my domain at pingdom.com and received this error

Inconsistent security for domain.com - DS found at parent, but no DNSKEY found at child.

The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation.

DNSSSEC - DNS Secruity tab in directadmin have Keys section filled and Signed Section filled with dates Sep 29 and Expire : Nov3 and following signed

domain.com. IN DS 50881 5 1 1F020A8AE5032407C5CF3AE5E1C90AC8Bxxxxxxx7
domain.com. IN DS 50881 5 2 C49E22385BEE800018CA5CB32B8xxxxxxxxxxxxxxxxxC65DD06C20 C8F99F9F
domain.com.dlv.isc.org. IN DLV 50881 5 1 1F020A8AE503XXXXXXXXXXXXXXXXXXXXAC8B35E7D27
domain.com.dlv.isc.org. IN DLV 50881 5 2 C49E22385BEE800018CXXXXXXXXXXXXXXXXX1B18DABF61C65DD06C20 C8F99F9

And have following files in the named

/var/named/domain.ca.zsk.key
/var/named/domain.ca.zsk.private
/var/named/domain.com.zsk.key
/var/named/domain.com.zsk.private


So not sure why godaddy is complaining "the zone for selected domain does not contain valid zsk record"

 

[ssgill]

Hello, when i check named slaves there is no record

ls -l /var/named/slaves/
total 0

According to this tutorial there should be zone and signed zone record in slave.

And not able to find this entry in named or in the /var/named/domian.com.db.signed

zone "example.com" IN {
type slave;
file "example.com.zone.signed";
masters { 1.1.1.1; };
allow-notify { 1.1.1.1; };
};

Any idea what i am doing wrong. Thanks