Mubi
Apr 03, 2020Cirrus
DNSSEC for Subdomains
If F5 is managing a Domain , and we have enabled DNSSEC , how we can enable DNSSEC for Subdomains
I did further probing ... and see where there is a definite misconfiguration between the parent DATICLOUD.COM zone and the child HOSTING.DATICLOUD.COM zone.
The DS record that the DATICLOUD.COM zone is publishing:
hosting.daticloud.com. 86400 IN DS 44515 8 1 315156660E8FF103742A2958C45A9C933754628B
should not be there! ... That DS record corresponds to the DNSKEY 257 record:
daticloud.com. 86400 IN DNSKEY 257 3 8 (
AwEAAakYt25n4sVcNEGgyoA2ScpH3e8TyZyDiyD3Tmha
bxU5qDbqEkAeaos8huevoeR/tA3EsGWhE1Ctc5rwenu4
gc3vCGzn3iysepPG/Hszm596+OPVQEvq8aImcF56XmAS
Bn3k9qvNSJiDe8SYDEKnZ5+IgLrQPtMFjyh0em+MoI9a
FF8/g1jnwQC1oGK4DNyaVM81eKPtD/CFxkCtn56F1vCp
MT0ytU005orp8rP1/1tZ5lWLY6I0ABO+PGq4hb4HEj0L
RAbSQt/hnRXEMs4eEPUlmu4tzy5yttrs1l7brYwTmx2A
1DyUzwKS2Kumq6w8svJ7NDyCQkeBP54aOCVaEtE=
) ; KSK; alg = RSASHA256 ; key id = 44515
that is being published in the DATICLOUD.COM zone itself. And it is that DS record is what should be published in the COM zone (which currently is not publishing any DS records for DATICLOUD.COM, hence there exists no DNSSEC chain-of-trust right now).
Here are my recommendations:
{1} Remove that DS record from the DATICLOUD.COM zone. (Once you get your issue fixed between the DATICLOUD.COM and HOSTING.DATICLOUD.COM zones fixed, you can ask the DNS Administration for the COM zone to publish it.)
{2} Now see if doing a dig to one of the authoritative DNS nameservers for HOSTING.DATICLOUD.COM (which are the same ones that are authoritative for DATICLOUD.COM) will show the DNSKEY records. For example, do a dig to dns.daticloud.com [38.99.240.70]:
dig @38.99.240.70 hosting.daticloud.com dnskey +norecurse +multiline
Now do you see the DNSKEY records for HOSTING.DATICLOUD.COM?
{3} If you do, then for at least one of the DNSKEY 257 records, put in it's corresponding DS record into the DATICLOUD.COM zone; as implied before, you can use:
tmsh list /ltm dns dnssec zone hosting.daticloud.com all-properties
to discover this.
Hope this solves the issue ... If not, we can look at it further.