DNSSEC DS Record

Discussion in 'ISPConfig 3 Priority Support' started by muekno, Oct 13, 2016.

  1. muekno

    muekno Active Member HowtoForge Supporter

    May be silly question, had read the ISPConfig 3.1 Manual pages 248, 248, but there is only a sample for the data field. Where do I get the data for that field. I have activated DNSSEC in in the domain (soa) Record, I got filled the greyed field. But doing a test from example http://dnssec-debugger.verisignlabs.com/ they note DS record missing, what is correct. But what to fill in there.
    Please give a hint

    Thank you

    Rainer
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to publish the DNSSEC record at your Domain provider (not in ispconfig). The data that you need for that is in the grey field.
     
  3. muekno

    muekno Active Member HowtoForge Supporter

    OK, I am a domain reseller from INTERNETX, so I can register Domains myself. I have my own namesservers too. There are a lot of data in the grey field, which one are the rigth one for the DS record. Or did I understand something wrong. Checking my domain at DSNSSTUFF.COM/tools I get
    Status Test Name Information
    PASS
    DNSSEC records check DNSSEC records exist for this zone. This test uses the standard defined in RFC4033. The DNNSEC records provided are:

    ns2.gerdakloos.de. has Type Covered: NSEC3PARAM Algorithm Number: 7 Labels: 2 Original TTL: 0 Signature Expiration: 20161029133611 Signature Inception: 20161013133611 Key Tag: 17738 Signers Name: muekno.de.
    admin.gerdakloos.de. has Type Covered: SOA Algorithm Number: 7 Labels: 2 Original TTL: 1800 Signature Expiration: 20161029133611 Signature Inception: 20161013133611 Key Tag: 17738 Signers Name: muekno.de.
    PASS
    DNSSEC SOA records exist Found an SOA record and corresponding RRSIG SOA record. It is required by DNSSEC that your resource records be signed. It appears that your SOA has been signed.
    PASS
    DNSSEC SOA record date check DNSSEC SOA date is within recommended range. This is good because signed records must not have expired. If they had, the signature is marked as invalid and any signed data is considered Bogus (RFC4033 section 5 and RFC4641 section 4.1).

    ns2.gerdakloos.de. has an expiration date of 20161029133611 | year=2016 month=10 day=29
    admin.gerdakloos.de. has an expiration date of 20161029133611 | year=2016 month=10 day=29
    PASS
    DNSSEC records match keys DNSKEYs are defined for all records found for this zone. This is good because it provides resolvers with public keys which they can use to validate signatures for the resource records defined within this zone. The DNSKEYs provided are:

    ns2.gerdakloos.de. appears to have a signed NSEC3PARAM record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=1620
    ns2.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed TXT record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed MX record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed A record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed NS record with a key keyTag=17738
    ns2.gerdakloos.de. appears to have a signed SOA record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed SOA record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed NS record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed A record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed MX record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed TXT record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=1620
    admin.gerdakloos.de. appears to have a signed DNSKEY record with a key keyTag=17738
    admin.gerdakloos.de. appears to have a signed NSEC3PARAM record with a key keyTag=17738
    PASS
    DNSSEC SOA record verifies SOA record verifies with the corresponding DNSKEY. This is good because resolvers will be able to authenticate this record.

    Rainer

    In the grey field there are on top two ds records similar to the sample in the manual, do I need both or if not both which one?
     
    Last edited: Oct 13, 2016
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Personally I don't use DNSSEC, so I can not tell yo that in detail and the procedure depends on the company that sells you the domains. What I know is that the record has to be set in the dns server of the root zone, not in your dns server. It does not matter if you are a domain reseller or not for that as you are not the holder of the root zone (e.g. DENIC is the holder of the .de root zone). Ask the company where you get your domains from (in this case internetx) on how you have to provide the data to them so that they forward it to the NIC. That data that they will ask you for should be in the grey field.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    muekno likes this.
  6. muekno

    muekno Active Member HowtoForge Supporter

    Thank you, it works. Had called internetx support.
    beside entering the ksk in autodns3 i had to create 2 DS rr with the DS record data from the domain, left hostname empty, did not work entered domain.tdl. it worked. Checks from DNSSEC tests on the internet said OK
    Thank you

    Rainer
     

Share This Page