0

A few years ago, I moved my domains to a registrar that supports DNSSEC for .co.uk domains when I realised that Google Cloud Platform supported DNSSEC and SSHFP records. That worked fine on GCP.

Now I am doing a lot of work with Oracle Cloud. According to their DNS FAQ, DNSSEC is not supported. However, their DNS hosting on Oracle Cloud supports DNSKEY, DS, CDS and CDNSKEY as well as SSHFP records.

So how can I set SSHFP records for Oracle Cloud instances? If I keep the DNS hosting done on Google Cloud, can I use CDS/CDNSKEY records (or whatever) as a child zone on Oracle DNS?

I currently have DNS being done on Google Cloud, with NS records for specific hosts pointing at Oracle Cloud. There are NS records for every host. It works, but I don't know if there's a better way to do this, and DNSSEC obviously doesn't work.

paradroid
  • 219
  • 3
  • 12
  • Your question is offtopic here as not related to programming and you should direct it to your DNS provider or change your DNS provider. Note that a DNS provider saying it allows DNSKEY records in its zone but doesn't do DNSSEC makes utterly no sense, so that might be a clue on the level of service here. As for CDS/CDNSKEY they unfortunately are currently very little used by registries: https://github.com/oskar456/cds-updates AND you still need to have DNSSEC in your zone to use them! NS records trigger zone cuts and as such need DS (in parent) and DNSKEY in child, with all proper RRSIGs – Patrick Mevzek Feb 04 '23 at 01:01
  • @PatrickMevzek When I was looking for the correct site on the SE network to ask, I see all DNSSEC questions being asked here: https://stackexchange.com/search?q=DNSSEC. – paradroid Feb 04 '23 at 10:34
  • @PatrickMevzek I thought that it could be possible that these child record types could be used on a child zone, as long as the parent zone fully supports DNSSEC, as then the fact that Oracle still provide these record types would make some sort of sense. – paradroid Feb 04 '23 at 10:36
  • "I see all DNSSEC questions being asked here" The presence of other off-topic question does not make yours automatically on-topic even on same subjects. – Patrick Mevzek Feb 04 '23 at 21:35
  • " I thought that it could be possible that these child record types could be used on a child zone, as long as the parent zone fully supports DNSSEC, as then the fact that Oracle still provide these record types would make some sort of sense." DNSSEC doesn't work like that. It is not just a matter of adding new records in the zone. There needs to be signatures (RRSIG records). This has to be done by the DNS provider, and they change over time so they are dynamic. So a provider saying "we don't do DNSSEC" but still letting you put DNSKEY records in is probably clueless on DNSSEC. – Patrick Mevzek Feb 04 '23 at 21:36
  • @PatrickMevzek Oracle supports 'Secondary DNS' and "If the primary provider signs zones with DNSSEC , the signatures are transferred with the zone records to the secondary zone on OCI." I think this might explain it? https://docs.oracle.com/en-us/iaas/Content/DNS/Tasks/secondary-dns.htm – paradroid Feb 07 '23 at 05:59
  • 1
    It is not enough, especially if you use NSEC3. But ask them directly, or just test with a dummy zone and see what DNSViz says (it will fully test DNSSEC things on all nameservers). – Patrick Mevzek Feb 07 '23 at 15:03

0 Answers0