5

I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error:

DNSKEY found at child, but no DS was found at parent.

Check for DS records in parent zone

We found that none of your DNSKEY records are published at parent. All KSKs (Key Signing Keys) should have a corresponding DS record containing the digest of the key at the parent zone.

Recommendation
Publish DS records for all your DNSKEY (KSK) records in parent DNS zone. This will establish a chain of trust from the parent to your zone.

Anyone know what the problem could be?

I am using webmin for my BIND configuration and it has an option called dnssec verification and I think its done via https://dlv.isc.org/.

I made a screenshot for this:

alt text

Community
  • 1
Saif Bechan
  • 10,960
  • 10
  • 42
  • 63

1 Answers1

7

The problem is exactly per the quoted text.

Validation of DNSSEC-signed data requires either:

  1. a complete chain of trust from the root zone down to your own, or
  2. configuration of a specific 'trust anchor' for your zone

In most cases, now that the root is actually signed, the former is preferred. You have a DNSKEY in your zone, and you should submit a DS record to your parent zone adminstrators. They then sign that record with their own key, and similarly their own DS records get sent to their parent zone, which might be the root.

This does however require that every level of the DNS between your domain and the root also has DNSSEC.

What is your domain? It's quite possible that your parent domain doesn't yet support DNSSEC.

If they don't, then the next best option is to submit your DS record to ISC's "DLV" repository. This is a well supported DNS feature which allows for secure distribution of trust anchors for domains that don't yet have a fully secure chain of trust all of the way to the "root". Adding your record there will allow other people to validate your domain name.

EDIT ISC's DLV is no longer in operation.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • 1
    The .net zone isn't signed yet (due 4Q2010 I believe). In the meantime you could submit your DS record to ISC's "DLV" - this is a centralised trust anchor repository. https://dlv.isc.org/ – Alnitak Sep 20 '10 at 07:08
  • Ok yes I am pretty sure this is the thing I should do. I use Webmin as a hosting package and it has an option called 'DNSSEC Verification'. It is an option on the main screen of the BIND configuration. It was enabled already, and it has some settings in it already, it had some lines poiting to 'dlv.isc.org'. I have no clue what to do with it though. I will make a screenshot, and maybe you can help me out with it. thanks! – Saif Bechan Sep 20 '10 at 09:47
  • Those webmin settings only control your own local recursive resolver. Adding your DS to DLV (and to .net, when they're ready) will allow _other people_ to validate your zone. Ignore the previously reported error ("no DS in parent") unless it's preventing you from publishing your zone. – Alnitak Sep 20 '10 at 13:36
  • So if I understand you correctly I should just leave everything as it is and just ignore the error messages. The error does not give me any other problems however, I would like it to be secured. Or should I still send something to DLV? I see some people using ZoneSigner to publish the key, should I do that or did webmin already do it for me. – Saif Bechan Sep 21 '10 at 04:31
  • yup, just ignore the error, and send your DS to the DLV so other people can validate it. Once .net is signed you can send your DS there instead and remove it from DLV. – Alnitak Sep 21 '10 at 06:12
  • Ok, sorry for all the questions, but how do I make my DS and how do I send it to DLV. Is there some tutorial online? – Saif Bechan Sep 21 '10 at 15:52
  • If you have shell access, use `dnssec-dsfromkey` to get your DS record. Then register on https://dlv.isc.org/ and follow their instructions. – Alnitak Sep 21 '10 at 15:56
  • and how do i submit DS to .com zone ? – Omid Kosari Aug 03 '13 at 13:45
  • 1
    @OmidKosari ask your domain registrar. If they can't help you, find a new registrar that can. – Alnitak Aug 03 '13 at 23:25