Realistically, the answer is no, because although you could, as per your example:
o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)
o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address
o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)
it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".
Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.
FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;example.com. IN SOA
;; ANSWER SECTION: example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. ( 2022091331 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 ( 20230903171433 32385 example.com. wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0 4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== )
Realistically, the answer is no, because although you could, as per your example:
o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)
o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address
o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)
it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".
Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.
FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;example.com. IN SOA
;; ANSWER SECTION: example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. ( 2022091331 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 ( 20230903171433 32385 example.com. wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0 4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== )
thanks bone for the reminder but, not sure if something is wrong with the DC coz I don't see any button for "accept as solution". Can help me figure this out?
Only the original requestor account (or an admin) can choose Accept As Solution. @Nat24 if you can influence @Nath somehow (sheepish grin) to click the Accept As Solution button - then all will be good.
