cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

DNSSEC for Subdomains

Mubi
Cirrus
Cirrus

If F5 is managing a Domain , and we have enabled DNSSEC , how we can enable DNSSEC for Subdomains

7 REPLIES 7

Mubi
Cirrus
Cirrus

I have Added DS Record for each Subdomain which i get from the DNSSEC enabled for Master Domain.

But i still seeing the result in which it is asking the DNSKEY is not added againt subdomain.

Frabotta9500
Nimbostratus
Nimbostratus

Each parent DNS zone (e.g., bulb.com) that is DNSSEC-signed must contain, along with it's own DNSKEY records that publish it's own public Key-Signing-Key (KSK) and Zone-Signing-Key (ZSK), the DS records for any child subzones (e.g., lamp.bulb.com) that are underneath it.

 

The DS records that are published in the parent DNS zone vouch for the validity of the KSK of the child DNS zone; specifically, the DS records contain a hash of the child zone's KSK, with that KSK itself being published in the child zone's own set of DNSKEY records.

 

Likewise, the child zone must host DS records for any subzones underneath it (e.g., bright.lamp.bulb.com). And so on.

 

Frabotta thanks for reply,

Actually i have googled alot but i didn't find how to add DS for Child zone , but in the end i was sucessful, i followed below

first i created a two keys KSK and ZSK for Parent Zone,

then i create the DNSSEC Zone and call both keys in it.

After that i copy the DS record from parent zone and created DS record with all the values from KSK of parent zone into it.

Now when i check the chain i face the error of DNSKEY not found in Child zone.Attach is the pic

I serach the Book but i didn't find how i can do it, one another thing that,

All zones are managed by BigIP DNS, no local DNS.

and in attached pic you can also see the DS record is missing with .com. how we can resolve it as this domain is regietered with Godaddy.

 

Frabotta9500
Nimbostratus
Nimbostratus

Thank you for providing a detailed problem description ...

 

I manually verified that the report is correct ... There are two fundamental issues that need to be addressed to have both DATICLOUD.COM and HOSTING.DATICLOUD.COM enabled as part of the DNSSEC chain-of-trust:

 

[1] The COM zone needs to insert the applicable DS records for DATICLOUD.COM for at least one of the two DNSKEY 257 records (key tags 12391 and 

44515) that you are publishing. You can extract the DS records utilizing the textual output from:

 

tmsh list /ltm dns dnssec zone <dnssec zone name> all-properties

 

[2] Although the DATICLOUD.COM zone does publish a DS record for the HOSTING.DATAICLOUD.COM zone for the DNSSEC Key-Signing-Key (KSK) key tag 44515:

 

hosting.daticloud.com. 86400 IN DS 44515 8 1 315156660E8FF103742A2958C45A9C933754628B

 

there are no DNSKEY records at all being published in the HOSTING.DATICLOUD.COM zone itself. I'm not sure why this is, but you definitely need to publish your DNSKEY records. After you do, ensure that at least one of them is for KSK key tag 44515, otherwise you will now need to replace the DS record in DATICLOUD.COM with a new one that is now applicable for HOSTING.DATICLOUD.COM.

 

Dear Frabotta,

 

thanks for detail response how i can publish the DNSKEY can you share the steps.

As i explained above the DS record is from the KSK of daticloud.com which i added as DS record for hsoting.daticloud.com,

hosting.daticloud in other words inheriting the DS record from parent domain.

and now how i add DNSKEY for hosting.daticloud.com

 

Frabotta9500
Nimbostratus
Nimbostratus

I did further probing ... and see where there is a definite misconfiguration between the parent DATICLOUD.COM zone and the child HOSTING.DATICLOUD.COM zone.

 

The DS record that the DATICLOUD.COM zone is publishing:

 

hosting.daticloud.com. 86400 IN DS 44515 8 1 315156660E8FF103742A2958C45A9C933754628B

 

should not be there! ... That DS record corresponds to the DNSKEY 257 record:

 

daticloud.com. 86400 IN DNSKEY 257 3 8 (

AwEAAakYt25n4sVcNEGgyoA2ScpH3e8TyZyDiyD3Tmha

bxU5qDbqEkAeaos8huevoeR/tA3EsGWhE1Ctc5rwenu4

gc3vCGzn3iysepPG/Hszm596+OPVQEvq8aImcF56XmAS

Bn3k9qvNSJiDe8SYDEKnZ5+IgLrQPtMFjyh0em+MoI9a

FF8/g1jnwQC1oGK4DNyaVM81eKPtD/CFxkCtn56F1vCp

MT0ytU005orp8rP1/1tZ5lWLY6I0ABO+PGq4hb4HEj0L

RAbSQt/hnRXEMs4eEPUlmu4tzy5yttrs1l7brYwTmx2A

1DyUzwKS2Kumq6w8svJ7NDyCQkeBP54aOCVaEtE=

) ; KSK; alg = RSASHA256 ; key id = 44515

 

that is being published in the DATICLOUD.COM zone itself. And it is that DS record is what should be published in the COM zone (which currently is not publishing any DS records for DATICLOUD.COM, hence there exists no DNSSEC chain-of-trust right now).

 

Here are my recommendations:

 

{1} Remove that DS record from the DATICLOUD.COM zone. (Once you get your issue fixed between the DATICLOUD.COM and HOSTING.DATICLOUD.COM zones fixed, you can ask the DNS Administration for the COM zone to publish it.)

 

{2} Now see if doing a dig to one of the authoritative DNS nameservers for HOSTING.DATICLOUD.COM (which are the same ones that are authoritative for DATICLOUD.COM) will show the DNSKEY records. For example, do a dig to dns.daticloud.com [38.99.240.70]:

 

dig @38.99.240.70 hosting.daticloud.com dnskey +norecurse +multiline

 

Now do you see the DNSKEY records for HOSTING.DATICLOUD.COM?

 

{3} If you do, then for at least one of the DNSKEY 257 records, put in it's corresponding DS record into the DATICLOUD.COM zone; as implied before, you can use:

 

tmsh list /ltm dns dnssec zone hosting.daticloud.com all-properties

 

to discover this.

 

Hope this solves the issue ... If not, we can look at it further.

 

Mubi
Cirrus
Cirrus

 

Dear Frabotta,

 

As you said above that hosting.daticloud.com has the DS record which i added as DS record for it's child Domains.

Yes you r true i did it by my self added DS reord of Daticloud as DS record of Hosting.

So my question is again that should i make DS records for each Child Zones and it would be the same process as i did for parent like from making WIDIP for each Parent Zone and making KSK ZSK and making DNSSEC zones .

 

Incase i don't see DNSKEY on dig hosting.daticloud.com then what i have to do.