DNSSEC for fully qualified subdomains

Djunity

Verified User
Joined
Mar 9, 2008
Messages
243
Location
Holland
Hi,

We are currently implenting dnssec for all of or domains we are using post script to send the keys to the registry's thats working ok for a few test domains.

What im not sure about and a test didnt work is how to use fully qualified subdomains with dnssec.

I have try'd adding the zsk key from a subdomain to the registry thats ok but after its been added to the root zone
im still getting an error checking at http://dnssec-debugger.verisignlabs.com/ the check said No DS records found for domain.com

Any idea on how to secure subdomains with dnssec ?

Kind regards
 
Only a guess based on my experience withDNS:

You need a separate zone for the subdomain. The parent zone must also be DNSSEC secured and must have in it NS records for the subdomain.

Jeff
 
Only a guess based on my experience withDNS:

You need a separate zone for the subdomain. The parent zone must also be DNSSEC secured and must have in it NS records for the subdomain.

Jeff

Hi Jeff,

Ok your right for a part. if the subdomain is on diffrent nameservers then the root then you need to add the ns records from the sub to the root domain zone if there on the same its not manditory.
What needs to be done is add the DS from the subdomain to the zone of the root domain.

I have sended John a email as this is not supported by directadmin yet.
 
I've implemented the DS record types for domains, so it can now work:
http://www.directadmin.com/features.php?id=1639

I've tested it out on http://subtest.jbmc-software.com, and it seems to work:
http://dnssec-debugger.verisignlabs.com/subtest.jbmc-software.com

FYI, I may delete the subtest zone in a few days.

If you'd like to try the changes now, grab the pre-release binaries:
http://help.directadmin.com/item.php?id=408

How to use it:
  1. Create your domain.com and sub.domain.com zones, as full domains.
  2. Ensure domain.com has a key and is signed (DNS Admin -> domain.com), and you've entered your domain.com DS records at your registrar.
  3. Go to sub.domain.com and create the keys, and sign it as well
  4. On that same page for sub.domain.com, copy the 2 DS records from the bottom of the page (CentOS 5 only has 1, which is fine)
  5. Go to DNS Admin -> domain.com, and create "NS" records that match the values in the sub.domain.com zone (can be the same or different server). eg:
    Code:
    sub.domain.com.  NS  ns1.domain.com.
  6. Still on the same page (zone for domain.com), add the DS record that you copied, eg:
    Code:
    sub.domain.com. DS <pasted value after "DS">
  7. Confirm that the signed time for domain.com has been updated. If not, or to be sure, click the "Sign" button for domain.com

John
 
Hi all

i dont understand the last step. how to create DS record? that is my doubt.
from http://dnssec-debugger.verisignlabs.com all is ok except "No DS records found for domain.tld in the org zone"
as I can proceed to finish this?

thanks a lot.

Hi,

For example you want to secure sub.domain.com then and domain.com is allready signed !
You have to add
sub.domain.com. NS ns1.yournameserver
sub.domain.com. NS ns2.yournameserver
to the dns zone of domain.com
Next you have to add the DS record from sub.domain.com and also add this to the dns zone of domain.com
after this is done youll see it will work
 
I am considering if I am going to start using DNSSEC for my shared hosting customers domains. Regarding fully qualified subdomains I have a question I hope someone can answer:

If I DNSSEC sign a customer main domain, and if I do not make the needed steps to sign the fully qualified subdomain the user also have, will the subdomains stop working or get errors in the browser?

I just need to figure out if it will create any trouble if I sign domains and do not sign the fully qualified subdomains too? Will they work normally without DNSSEC when it is enabled on the main domain?

Just need to know this because this is shared hosting, and I can't monitor if a customer themself add a fully qualified subdomain under the already DNSSEC signed domain. Should it cause trouble?
 
If the user add a subdomain from DA he will not be sending email from the subdomain, but from the main domain only which would be verified.
If the user add a subdomain as domain, than the DNSSEC will be available for that subdomain (because the script that will create related DNSSEC entries will get called), that's the only way a user can send email from the subdomain at the moment.

Best regards
 
Let me see if I understand this correct: So if a user add a subdomain as a domain under a DNSSEC signed domain, then the only thing that will break/not work, is email for that subdomain? But the website for the subdomain will not have trouble?

It is problematic that manuall steps is needed, as long as user can add subdomain as a domain themself. I have read this, so it is not automated yet?: https://help.directadmin.com/item.php?id=652
 
No, if a user add a subdomain as a domain, DA will take care of everything so everything (including mail and DNSSEC) should be working just fine.

If a user add a subdomain as a normal subdomain, he will not be able to send email as @subdomain.domain.tld because there is no such function, and so he will be just fine aswell.

EDIT: Sorry i didn't read that guide, i guess yes, manual work would be needed, but usually i don't let user add subdomains as domains unless i do for them, you may want to use domain_create_post.sh to do some checks and the related DNS add using APIs.

Best regards
 
Thanks. But I am confused about the guide at https://help.directadmin.com/item.php?id=652 - is it outdated, it is no longer needed for these manual steps?

And does you know what happen when I sign a domain wich already has several subdomains added as fully domains, will DA automatically take care of existing subdomains also?
 
I don't think it is outdated and i think that if you add a domain which already have subdomain added as domain you will still to do those steps.

Best approach will be enable the functionality and run some test with fake domains, than check the DNS. Would be quite faster, otherwise you may want to open a ticket to DA Staff.

Best regards
 
Thanks. I am working on testing it now. I have a queston I hope someone can answer:

When I enable DNSSEC for a domain and also sign it, I get this line: "Signed Nov 25 15:27 2016 Expiry: Dec 30 12:27 2016"

Question is: When DirectAdmin update the expiry Dec 30, is it then needed for me to manually log into my registrar and add new DS records at my registrar? Or is the DS records not changed when expiry is updated by DirectAdmin? Hopefully they are not changed.

Also I discovered a bug when using multiserver and doing: "Admin Level -> DNS Admin -> domain.com" and activating and signing dnssec for a domain, then SOA serial is not updated so it does not match the SOA number on the other name servers. I have reported the bug to tickets.directadmin.com
 
Sorry i'm confused, if DA is managing the DNS why you need to log into your Registar?

Personally at my registart i'm just specifying my Nameservers and after that i mantain everything from a DA prospective, also the DS record should work that way in my opinion. (please keep in mind that i'm not using them yet because my slave are CentOS 5 :p)

Best regards
 
To answer my previous question. I have now tested. If you add a subdomain as a fully domain under a domain that is using DNSSEC, then the subdomain will not work, it will give this error in your browser:

Code:
subdomain.domain.tld’s server DNS address could not be found.
Try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN

This is a show stopper for anyone selling shared hosting. Because you can't enable DNSSEC for their domains, because if they add a subdomain as fully domain, the subdomain will not work without doing this manually: https://help.directadmin.com/item.php?id=652
 
I still think you can achieved that with some scripts and API calls.

For sure it would be somekind of a pain the first time, but after that you'll have everything automated.

Best regards
 
I think this should be automated by default in DirectAdmin. I hope they can add the automation for us all.
 
Back
Top