0

I get this error:

Inconsistent security for stakeholdergame.com - 
DS found at parent, but no DNSKEY found at child.

On http://dnscheck.pingdom.com/?domain=stakeholdergame.com

People can't access my site with google public DNS because of this. How do I solve this problem?

dig @ns1.haveabyte.nl stakeholdergame.com DS shows me this

; <<>> DiG 9.8.3-P1 <<>> @ns1.haveabyte.nl stakeholdergame.com DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42223
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;stakeholdergame.com.       IN  DS

;; AUTHORITY SECTION:
stakeholdergame.com.    14400   IN  SOA ns1.haveabyte.nl. hostmaster.stakeholdergame.com. 2014030300 14400 3600 1209600 86400

;; Query time: 21 msec
;; SERVER: 79.170.93.174#53(79.170.93.174)
;; WHEN: Tue Jun 10 11:20:41 2014
;; MSG SIZE  rcvd: 100
Sinan Samet
  • 103
  • 2
  • 3
    so, ***why*** did you make your registrar enter a DS record for stakeholdergame.com but did not include a KEY RR in your DNS zone? `dig +short DS stakeholdergame.com` `42573 7 1 64A902AD0A20245BE24D70179BEEAFF22B719E3E` – the-wabbit Jun 10 '14 at 09:31
  • I am not familiar with DS records and don't know how to do this. How and where do I have to do this? Do I have to do that in ns1.haveabyte.nl or with registrar? Or can I remove it? Because actually I don't even want to use it. – Sinan Samet Jun 10 '14 at 09:35

1 Answers1

1

The DS RR, which is the fingerprint of the public key for a DNSSEC-enabled zone, is entered in the uplevel zone (in your case com.) It also indicates that the zone in question indeed has been DNSSEC-enabled, so DNSSEC-aware resolvers will error out any request where a DS RR is present but no corresponding (and matching) RRSIG and DNSKEY records exist.

If you do not intend using DNSSEC, you should ask the registrar to remove the DS RRs for stakeholdergame.com from the .com zone.

Some further reading on DNSSEC: https://grepular.com/Understanding_DNSSEC

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • I would like to remove it but the company I bought the domain from says it has nothing to do with them and they can't do anything about it. The DS record is not there on my nameserver. But google dns still has it. As if they didn't update it. – Sinan Samet Jun 10 '14 at 09:58
  • 1
    @SinanSamet The DS RR, very much like the glue NS RR, is ***in the .com zone***, not in "your" zone. If you have registered the domain at different company than the one hosting the DNS zone (the whois info suggests so - registrar is networking4all B.V. while the zone is hosted by haveabyte.nl), you should be asking the registrar for removal. – the-wabbit Jun 10 '14 at 10:05
  • 1
    The company finally admitted that it was their fault after giving the link of this question. Thanks for your help! – Sinan Samet Jun 10 '14 at 12:51