Forum Discussion

Nath's avatar
Nath
Icon for Cirrostratus rankCirrostratus
Sep 04, 2023

Enabling DNSSEC for 1 record only

Hi Experts,

Trying to clear my doubts about DNSSEC Usually, we implement DNSSEC on the whole zone eg. example.com.

My question is, is it possible to enable DNSSEC for specific records only like -> uat.example.com?

Thank you so much for your attention and participation.

  • Realistically, the answer is no, because although you could, as per your example:

    o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)

    o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address

    o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)

    it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".

    Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.


    FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;example.com. IN SOA

    ;; ANSWER SECTION:
    example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. (
    2022091331 ; serial
    7200 ; refresh (2 hours)
    3600 ; retry (1 hour)
    1209600 ; expire (2 weeks)
    3600 ; minimum (1 hour)
    )
    example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 (
    20230903171433 32385 example.com.
    wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0
    4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== )

    ;; Query time: 20 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Mon Sep 4 23:27:49 2023
    ;; MSG SIZE rcvd: 203

  • Realistically, the answer is no, because although you could, as per your example:

    o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)

    o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address

    o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)

    it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".

    Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.


    FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;example.com. IN SOA

    ;; ANSWER SECTION:
    example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. (
    2022091331 ; serial
    7200 ; refresh (2 hours)
    3600 ; retry (1 hour)
    1209600 ; expire (2 weeks)
    3600 ; minimum (1 hour)
    )
    example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 (
    20230903171433 32385 example.com.
    wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0
    4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== )

    ;; Query time: 20 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Mon Sep 4 23:27:49 2023
    ;; MSG SIZE rcvd: 203

    • Nat24's avatar
      Nat24
      Icon for Nimbostratus rankNimbostratus

      Thank you very much for the detailed explanation brother. I appreciate and really help me understand the DNSSEC.

       

  • Only the original requestor account (or an admin) can choose Accept As Solution.
    Nat24 if you can influence Nath somehow (sheepish grin) to click the Accept As Solution button - then all will be good.

     

     

    • Nath's avatar
      Nath
      Icon for Cirrostratus rankCirrostratus

      Thanks and really appreciate the community, I didn't notice that I'm using a different acct :).