May be silly question, had read the ISPConfig 3.1 Manual pages 248, 248, but there is only a sample for the data field. Where do I get the data for that field. I have activated DNSSEC in in the domain (soa) Record, I got filled the greyed field. But doing a test from example http://dnssec-debugger.verisignlabs.com/ they note DS record missing, what is correct. But what to fill in there. Please give a hint Thank you Rainer
You have to publish the DNSSEC record at your Domain provider (not in ispconfig). The data that you need for that is in the grey field.
OK, I am a domain reseller from INTERNETX, so I can register Domains myself. I have my own namesservers too. There are a lot of data in the grey field, which one are the rigth one for the DS record. Or did I understand something wrong. Checking my domain at DSNSSTUFF.COM/tools I get Status Test Name Information PASS DNSSEC records check DNSSEC records exist for this zone. This test uses the standard defined in RFC4033. The DNNSEC records provided are: ns2.gerdakloos.de. has Type Covered: NSEC3PARAM Algorithm Number: 7 Labels: 2 Original TTL: 0 Signature Expiration: 20161029133611 Signature Inception: 20161013133611 Key Tag: 17738 Signers Name: muekno.de. admin.gerdakloos.de. has Type Covered: SOA Algorithm Number: 7 Labels: 2 Original TTL: 1800 Signature Expiration: 20161029133611 Signature Inception: 20161013133611 Key Tag: 17738 Signers Name: muekno.de. PASS DNSSEC SOA records exist Found an SOA record and corresponding RRSIG SOA record. It is required by DNSSEC that your resource records be signed. It appears that your SOA has been signed. PASS DNSSEC SOA record date check DNSSEC SOA date is within recommended range. This is good because signed records must not have expired. If they had, the signature is marked as invalid and any signed data is considered Bogus (RFC4033 section 5 and RFC4641 section 4.1). ns2.gerdakloos.de. has an expiration date of 20161029133611 | year=2016 month=10 day=29 admin.gerdakloos.de. has an expiration date of 20161029133611 | year=2016 month=10 day=29 PASS DNSSEC records match keys DNSKEYs are defined for all records found for this zone. This is good because it provides resolvers with public keys which they can use to validate signatures for the resource records defined within this zone. The DNSKEYs provided are: ns2.gerdakloos.de. appears to have a signed NSEC3PARAM record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=1620 ns2.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed TXT record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed MX record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed A record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed NS record with a key keyTag=17738 ns2.gerdakloos.de. appears to have a signed SOA record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed SOA record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed NS record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed A record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed MX record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed TXT record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=1620 admin.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=17738 admin.gerdakloos.de. appears to have a signed NSEC3PARAM record with a key keyTag=17738 PASS DNSSEC SOA record verifies SOA record verifies with the corresponding DNSKEY. This is good because resolvers will be able to authenticate this record. Rainer In the grey field there are on top two ds records similar to the sample in the manual, do I need both or if not both which one?
Personally I don't use DNSSEC, so I can not tell yo that in detail and the procedure depends on the company that sells you the domains. What I know is that the record has to be set in the dns server of the root zone, not in your dns server. It does not matter if you are a domain reseller or not for that as you are not the holder of the root zone (e.g. DENIC is the holder of the .de root zone). Ask the company where you get your domains from (in this case internetx) on how you have to provide the data to them so that they forward it to the NIC. That data that they will ask you for should be in the grey field.
Here is a link that might help you (see the part about adding the signature in the root zone with internetx): https://matthias.wimmer.name/blog/posts/Mein-DNSsec-Setup.xhtml @florian030: Thank you for the link
Thank you, it works. Had called internetx support. beside entering the ksk in autodns3 i had to create 2 DS rr with the DS record data from the domain, left hostname empty, did not work entered domain.tdl. it worked. Checks from DNSSEC tests on the internet said OK Thank you Rainer