DNSSEC not working on subdomain added as second domain

P

Protected

Verified User
Joined
Oct 29, 2006
Messages
81
Hello. I have the following setup in my server:

example.com is a domain of userA - Using DNSSEC, everything valid (previously registered upstream)
b.example.com was recently created as the main domain of userB - Automatically using DNSSEC, everything valid.
a.example.com was recently created as a second domain of userA (the owner of example.com) - Automatically using DNSSEC, but broken with 8 errors according to dnsviz!

If I go to the example.com DNS zone I see the same entries for a.example.com and b.example.com. The zones a.example.com and b.example.com also seem to be set up with the same records. However, in b.example.com (as in other signed zones) there are entries under the Signed heading for:

b.example.com. IN DS ...
b.example.com.dlv.isc.org. IN DLV ...

But for a.example.com there only IN DS, not IN DLV. In a.example.com, clicking the Sign button to sign again does not fix this problem. Also, clicking the Remove button to the right of Remove DNSSEC does not actually remove DNSSEC. Everything stays the same.

Anyone encountered this issue? How do I get things to work properly?
 
Maybe I just need to wait? Sorry, I only do this once in a blue moon.

Errors as reported by verisign labs:
No DNSKEY records found
No RRSIGs found
No RRSIGs found

Errors as reported by dnsviz:
Bogus delegation example.com to a.example.com (No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.; The DS RRset for the zone included algorithm 13 (ECDSAP256SHA256), but no DS RR matched a DNSKEY with algorithm 13 that signs the zone's DNSKEY RRset.)
RRSet status bogus for /A /MX /NS /SOA /TXT
 
Last edited:
If it wasn't an incredible coincidence in timing, it seems I fixed the zone by doing the following:

Click Generate Keys instead of Remove.

This broke the zone (warning that the zone was older than the keys and needed to be signed again) and finally allowed me to sign it manually using the Sign button. (Note that I had previously tried the Sign button, which didn't solve the problem.)

After that, no more errors from dnsviz/verisign. Still no IN DLV but I understand those may no longer be a thing.
 
You must log in or register to reply here.
Back
Top