Error adding DS records for my subdomain to the zone file of parent domain - using bind

Question

I have domain example.company.com which is DNSSEC secured and has sent its DS records to the parent company.com. I want to create 2 other subdomains, both DNSSEC secured, sub1.example.company.com and sub2.example.company.com. However the parent domain here is example.company.com and not company.com so I want to include the DS records for the subdomains in the zone file for example.company.com.

However when I add the DS records manually and try to resign example.company.com using the same keys as before (unexpired) I get the following error

dnssec-signzone: fatal: dnssec-signzone: fatal: 'sub1.example.company.com': found DS RRset without NS RRset

What am I doing wrong here, alternatively how can I ensure DNSSEC protection from my subdomains given my existing main domain (example.company.com)?

Answer 1

DS records are only used as part of delegations between zones, ie side by side with the NS records that define such a delegation.

If you have for example the zone example.com and just add records for foo.example.com or foo.bar.example.com to this zone that is already covered as it is part of the same zone.

However, if you delegate eg sub.example.com so that this is a separate zone, you would have BOTH NS and DS records for sub.example.com in the example.com zone.

I'm not sure which of the cases above this question describes, but either you are missing the NS records for the delegation of the new zone or you are trying to add superfluous DS records "within" a zone.

Additionally, I would strongly suggest using the integrated DNSSEC signing support in BIND (auto-dnssec maintain and if needed the inline-signing config options) rather than the older external dnssec-signzone tool.