Mubi
Apr 03, 2020Cirrus
DNSSEC for Subdomains
If F5 is managing a Domain , and we have enabled DNSSEC , how we can enable DNSSEC for Subdomains
Each parent DNS zone (e.g., bulb.com) that is DNSSEC-signed must contain, along with it's own DNSKEY records that publish it's own public Key-Signing-Key (KSK) and Zone-Signing-Key (ZSK), the DS records for any child subzones (e.g., lamp.bulb.com) that are underneath it.
The DS records that are published in the parent DNS zone vouch for the validity of the KSK of the child DNS zone; specifically, the DS records contain a hash of the child zone's KSK, with that KSK itself being published in the child zone's own set of DNSKEY records.
Likewise, the child zone must host DS records for any subzones underneath it (e.g., bright.lamp.bulb.com). And so on.
Frabotta thanks for reply,
Actually i have googled alot but i didn't find how to add DS for Child zone , but in the end i was sucessful, i followed below
first i created a two keys KSK and ZSK for Parent Zone,
then i create the DNSSEC Zone and call both keys in it.
After that i copy the DS record from parent zone and created DS record with all the values from KSK of parent zone into it.
Now when i check the chain i face the error of DNSKEY not found in Child zone.Attach is the pic
I serach the Book but i didn't find how i can do it, one another thing that,
All zones are managed by BigIP DNS, no local DNS.
and in attached pic you can also see the DS record is missing with .com. how we can resolve it as this domain is regietered with Godaddy.