Mubi
Apr 03, 2020Cirrus
DNSSEC for Subdomains
If F5 is managing a Domain , and we have enabled DNSSEC , how we can enable DNSSEC for Subdomains
Thank you for providing a detailed problem description ...
I manually verified that the report is correct ... There are two fundamental issues that need to be addressed to have both DATICLOUD.COM and HOSTING.DATICLOUD.COM enabled as part of the DNSSEC chain-of-trust:
[1] The COM zone needs to insert the applicable DS records for DATICLOUD.COM for at least one of the two DNSKEY 257 records (key tags 12391 and
44515) that you are publishing. You can extract the DS records utilizing the textual output from:
tmsh list /ltm dns dnssec zone <dnssec zone name> all-properties
[2] Although the DATICLOUD.COM zone does publish a DS record for the HOSTING.DATAICLOUD.COM zone for the DNSSEC Key-Signing-Key (KSK) key tag 44515:
hosting.daticloud.com. 86400 IN DS 44515 8 1 315156660E8FF103742A2958C45A9C933754628B
there are no DNSKEY records at all being published in the HOSTING.DATICLOUD.COM zone itself. I'm not sure why this is, but you definitely need to publish your DNSKEY records. After you do, ensure that at least one of them is for KSK key tag 44515, otherwise you will now need to replace the DS record in DATICLOUD.COM with a new one that is now applicable for HOSTING.DATICLOUD.COM.
Dear Frabotta,
thanks for detail response how i can publish the DNSKEY can you share the steps.
As i explained above the DS record is from the KSK of daticloud.com which i added as DS record for hsoting.daticloud.com,
hosting.daticloud in other words inheriting the DS record from parent domain.
and now how i add DNSKEY for hosting.daticloud.com