Forum Discussion

Nath's avatar
Nath
Icon for Cirrostratus rankCirrostratus
Sep 04, 2023

Enabling DNSSEC for 1 record only

Hi Experts, Trying to clear my doubts about DNSSEC Usually, we implement DNSSEC on the whole zone eg. example.com. My question is, is it possible to enable DNSSEC for specific records only like -> ...
  • Frabotta9500's avatar
    Sep 04, 2023

    Realistically, the answer is no, because although you could, as per your example:

    o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)

    o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address

    o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)

    it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".

    Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.


    FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;example.com. IN SOA

    ;; ANSWER SECTION:
    example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. (
    2022091331 ; serial
    7200 ; refresh (2 hours)
    3600 ; retry (1 hour)
    1209600 ; expire (2 weeks)
    3600 ; minimum (1 hour)
    )
    example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 (
    20230903171433 32385 example.com.
    wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0
    4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== )

    ;; Query time: 20 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Mon Sep 4 23:27:49 2023
    ;; MSG SIZE rcvd: 203