DNSSEC DS Record

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DNSSEC DS Record

sami's strat
The following zone is dnssec signed:  ns2cloud.com


However, the zone is missing the DS record, completely.  That being said, what is the offset, or result?  I don't see an AD flag when querying the zone.  Other then that, are there any other ramifications?

thanks in advance.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNSSEC DS Record

Steven Carr
On 14 July 2017 at 01:52, sami's strat <[hidden email]> wrote:
> However, the zone is missing the DS record, completely.  That being said,
> what is the offset, or result?  I don't see an AD flag when querying the
> zone.  Other then that, are there any other ramifications?

Without the DS record in the parent the zone is treat as being
unsigned (hence why you don't see the AD flag).
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNSSEC DS Record

sami's strat
What about the child zone?  Do I need a DS record for the child zone as well?  I see a good number  of big DNS players in DNS (no names) that do have DS records in there zones.

Does zbc.com (for example) need DS, or is just passed by the TLD?

TIA

On Fri, Jul 14, 2017 at 5:20 AM, Steven Carr <[hidden email]> wrote:
On 14 July 2017 at 01:52, sami's strat <[hidden email]> wrote:
> However, the zone is missing the DS record, completely.  That being said,
> what is the offset, or result?  I don't see an AD flag when querying the
> zone.  Other then that, are there any other ramifications?

Without the DS record in the parent the zone is treat as being
unsigned (hence why you don't see the AD flag).


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNSSEC DS Record

/dev/rob0
On Fri, Jul 14, 2017 at 04:41:07PM -0400, sami's strat wrote:
> What about the child zone?  Do I need a DS record for the child

No, not in the delegated zone.

> zone as well?  I see a good number of big DNS players in DNS (no
> names) that do have DS records in there zones.

Nothing will use it.

> Does zbc.com (for example) need DS, or is just passed by the TLD?

Zbc.com. is not a zone, it is a CNAME in the com. TLD.  There would
be no NS to delegate to, therefore no DS.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNSSEC DS Record

Evan Hunt
On Fri, Jul 14, 2017 at 05:11:18PM -0500, /dev/rob0 wrote:
> > Does zbc.com (for example) need DS, or is just passed by the TLD?
>
> Zbc.com. is not a zone, it is a CNAME in the com. TLD.  There would
> be no NS to delegate to, therefore no DS.

Actually it *is* a zone: the .com TLD delegates to servers at iidns.com,
which then return a CNAME at the zone apex, but only if the query is for
type A.  For other query types including DNSKEY, they return NOERROR/NODATA.

This is a bad idea and they should stop doing it.

If zbc.com were to be signed, it would need a DS in .com and it would also
need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and
DNSSEC validation would fail.

(This is more or less the exact use case for the proposed ANAME record.)

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...