Hi Asanka, > Hi All, > > Just want to give you all an update on how this went as I ran into issues > with this implementation. > > What I did first: > Enabled DNSSEC on primary domain (domain.com <http://domain.com/>) > Added DS Records to domain registrar. > What worked: All DNS records under the primary zone worked and resolved > without any issues. > What broke : All subdomain DNS zones failed to resolve.
What would have worked, is adding NS records in your domain.com <http://domain.com/> zone for the subdomains.domain.com <http://subdomains.domain.com/>. Even if they aren’t signed. Frank > > Kind Regards, > Asanka Gunasekara > > P: 1300 825 587 > E: supp...@talkup.com.au <http://talkup.com.au/> | W: www.talkup.com.au > <http://www.talkup.com.au/> > Postal Address: PO Box 24, Varsity Lakes QLD 4227 > > Please consider the environment before printing this e-mail This email > message and any attachments are confidential. If you are not the intended > recipient, you are notified that any unauthorised disclosure, copying, > distribution or use of this information is strictly prohibited. If you have > received this email in error, please notify us immediately by return email, > or telephone 1300 825 587, and destroy the original message. We have taken > precautions to minimise the risk of transmitting software viruses, but we > advise you to carry out your own virus checks on any attachment to this > message. We cannot accept liability for any loss or damage caused by software > viruses. >> On 5/03/2019 11:24:27 AM, Asanka Gunasekara <asan...@talkup.com.au >> <mailto:asan...@talkup.com.au>> wrote: >> >> Hi Peter, >> >> Thanks for information. I have done just that :) >> >> Kind Regards, >> Asanka >> >> Kind Regards, >> Asanka Gunasekara >> >> P: 1300 825 587 >> E: supp...@talkup.com.au <http://talkup.com.au/> | W: www.talkup.com.au >> <http://www.talkup.com.au/> >> Postal Address: PO Box 24, Varsity Lakes QLD 4227 >> >> Please consider the environment before printing this e-mail This email >> message and any attachments are confidential. If you are not the intended >> recipient, you are notified that any unauthorised disclosure, copying, >> distribution or use of this information is strictly prohibited. If you have >> received this email in error, please notify us immediately by return email, >> or telephone 1300 825 587, and destroy the original message. We have taken >> precautions to minimise the risk of transmitting software viruses, but we >> advise you to carry out your own virus checks on any attachment to this >> message. We cannot accept liability for any loss or damage caused by >> software viruses. >>> On 26/02/2019 10:31:10 PM, Peter van Dijk <peter.van.d...@powerdns.com >>> <mailto:peter.van.d...@powerdns.com>> wrote: >>> >>> Hello >>> On 26 Feb 2019, at 5:43, Asanka Gunasekara wrote: >>> >>> > I'm sure this is a pretty dumb question but my knowledge on DNSSEC is >>> > very limited so hope you guys/gals can help me out. >>> > >>> > We use PowerDNS as our Authorative DNS and everything is configured >>> > here. We use PowerDNS-Admin >>> > [https://github.com/ngoduykhanh/PowerDNS-Admin >>> > <https://github.com/ngoduykhanh/PowerDNS-Admin>] as our GUI. >>> > >>> > I have our primary domain: domain.com <http://domain.com/> and it is >>> > split up into several >>> > sub-domain zones for ease of management. >>> > Eg: >>> > Zone1 - domain.com <http://domain.com/> >>> > Zone2 - sub1.domain.com <http://sub1.domain.com/> >>> > Zone3 - sub2.domain.com <http://sub2.domain.com/> >>> > >>> > Q1) If I enable DNSSEC between Zone1 above and domain registrar, would >>> > zones 2 and 3 stop functioning? >>> >>> They will keep working, but in insecure mode, as long as there is a >>> correct delegation (NS records for Zone2 and Zone3) in Zone1. >>> >>> > Q2) How do I enable DNSSEC on sub zones? >>> >>> For Zone1, you presumably enabled DNSSEC in your Admin and then sent the >>> DNSKEY or DS to the parent operator (.com), who then puts a DS in that >>> parent zone. For Zone2 and Zone3, you are the parent operator, so enable >>> DNSSEC, and then put the DS records in Zone1. >>> >>> Kind regards, >>> -- >>> Peter van Dijk >>> PowerDNS.COM <http://powerdns.com/> BV - https://www.powerdns.com/ >>> <https://www.powerdns.com/> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users> > > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Virus-free. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > <x-msg://28/#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>_______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> > https://mailman.powerdns.com/mailman/listinfo/pdns-users > <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
