DNSSEC on hostname

Wanabo

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
357
Location
Not from Holland, but The Netherlands
Following this DA-tutorial, I've managed to setup DNSSEC for a "normal" domain. All checks out well at dnssec-debugger.verisignlabs.com.

Is the procedure the same for the hostname?
I'm unsure because in :2222/evo/admin/dns I have two dns entries. One for host.example.com and one for example.com. Nameservers for all hosted domains are ns1.example.com and ns2.example.com
Should I generate dnssec keys for both domains?

I mean, when I do something wrong it could negatively impact on mail- and domain trust.
 
Wanabo said:
Should I generate dnssec keys for both domains?
Click to expand...
That's up to you if you want that.
I've read a little bit about it on Cloudflare (click) and if you have setup the hostname the same was as in my guide so as seperate DNS record, then you do have seperate DNS like as in a subdomain.
Also in that DNS record you are able to create DNSSEC keys for that "subdomain" since it's a seperate DNS record.
It's also possible to have the hostname record on one server and the domain record on another server, which would also have seperate/different DNS entries.

So reading that part and since it's a separate DNS record I think it is possible, as a choice, because it's not requirement.
 
Hi Wanabo

You should delete the subdomain zone 'host.example.com' and add the required DNS records in the parent zone or it will create issues.
You should only sign the parent zone.
(unless you know what you are doing, but still, you should not do it that way)

Our DirectAdmin servers are primary dns servers notifying an inline signer which is notifying our authoritative servers.
In this way, all zones are by default signed with the dnssec protocol we want. Users on DirectAdmin or DirectAdmin administrators cannot change anything about DNSSEC (enable or disable it, change the protocol or other dnssec settings), this is the way we want it to be implemented.
Our inline signer is filtering out subdomains, and other zones like 'localhost' and 'localhost.localdomain' or domains that do not have a tld,...

Kr
Dries
 
Driesp said:
You should delete the subdomain zone 'host.example.com' and add the required DNS records in the parent zone or it will create issues.
You should only sign the parent zone.
Click to expand...
When I check mail headers I see: Received:from host.example.com by host.example.com with LMTP id +.......
Would this behavior change and break something when deleting the subdomain zone 'host.example.com' and add the required DNS records in the parent zone?
And what about 2222/evo/admin/server-tls. It has server TLS certificate and key for host.example.com.
 
Last edited:
I don't think it will, you will have to make sure the required subdomain records are active in the parent zone.

Kr
Dries
 
Last edited:
Driesp said:
don't think it will,
Click to expand...
I think it does unless you know what you're doing. Because you won't get an SSL record for your hostname, unless you either use wildcard DNS or add the hostname sub in the directadmin.conf like you would do when adding imap (which is also not a real subdomain).

Also we've seen issues with mail send via php mail via the hostname causing odd issues, which is the reason we create a seperate DNS entry for the hostname. Reason: without it, there is no entry for the hostname in the /etc/virtual directory which could cause issues.
Those are my concerns, seen that happening in the past which is why I never again use the hostname in the normale domain dns.

So with the line written by Wanabo I also think he's fine, which is easy to check.
 
You must log in or register to reply here.
Back
Top