DNSSEC for fully qualified subdomains

[SeLLeRoNe]

Yes and no, i mean, you may have a domain on a server and the subdomain on another one, or even be entitled just to use the subdomain, is can be complicated

 

[ditto]

Well. If there is not added any automation for this problem, I will not be able to offer any of my shared hosting customers DNSSEC, that is for sure.

 

[SeLLeRoNe]

I don't get the problem on writing a custom post script honestly

 

[ditto]

I am not sure I am capable of writing a custom prost script for this task.

Also, everyone starting to enabling dnssec, be very careful if you enable dnssec for the domain name wich also is used for subdomains that is your server hostname for your servers. Then remember to also enable/dnssec for all your server hostname in the main domain for that, on the same way as for subdomains added as full domains: https://help.directadmin.com/item.php?id=652 - if not, potensially every hostname you have could stop working if you enable dnssec on the domain that is used in the hostnames (without doing the extra steps in link).

 

[ditto]

I just come to think of another thing. What happen if I sign the domain that is also used in my name servers? Like I have domain.com, and I have ns1.domain.com and ns2.domain.com - I wonder when I DNSSEC sign domain.com if the name servers themself (ns1.domain.com and ns2.domain.com) will stop working? Getting confused here now.

Edit: Thinking more about it: Because ns1.domain.com and ns2.domain.com does not have their own zone files, I don't think they will stop working when signing domain.com. Should not be a problem I think.

 

[zEitEr]

We have domains of our customers where a domain.com is delegated with ns1.domain.com, ns2.domain.com, ns3.domain.com. It's not only .com, they have .nl, .eu, .be as well.

There should not be any issue with it. Anyway you can test it here: http://dnssec-debugger.verisignlabs.com/

 

[ditto]

Thank you for confirmation on the name servers, zEitEr. However what I am still not able to figure out, is if the two DS records that I add at my registrar, if those are changed or not during DirectAdmin montly reset? Meaning do I need to add new DS records at my registrar every month?

I did run the re-signing manually to test doing this command:

echo "action=rewrite&value=dnssec" >> /usr/local/directadmin/data/task.queue

However it did not change the DS records keys, and it did not change the expiry date. Only the "Signed" date changed, but the expiry date remained unchanged:

Signed	Nov 26 13:24 2016     Expiry: Dec 31 10:24 2016

So if no ones has the answer, it seems I must wait one month to figure out if the two DS records will change or not during monthly reset? If they will change, it will be hard to automate this with api and my registrar.

 

[ditto]

I think this should be automated by default in DirectAdmin. I hope they can add the automation for us all.

John has now added the automation for this, coming in the next version: https://www.directadmin.com/features.php?id=1904

DirectAdmin is the best!

 

[SeLLeRoNe]

Cool

Thanks for the update