Forum Discussion
Enabling DNSSEC for 1 record only
- Sep 04, 2023
Realistically, the answer is no, because although you could, as per your example:
o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)
o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address
o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)
it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".
Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.
FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;example.com. IN SOA;; ANSWER SECTION:
example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. (
2022091331 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 (
20230903171433 32385 example.com.
wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0
4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== );; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 4 23:27:49 2023
;; MSG SIZE rcvd: 203
Only the original requestor account (or an admin) can choose Accept As Solution.
Nat24 if you can influence Nath somehow (sheepish grin) to click the Accept As Solution button - then all will be good.
- NathSep 07, 2023Cirrostratus
Thanks and really appreciate the community, I didn't notice that I'm using a different acct :).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com