Adding DS record to parent in DNS
Solution 1:
The problem is exactly per the quoted text.
Validation of DNSSEC-signed data requires either:
- a complete chain of trust from the root zone down to your own, or
- configuration of a specific 'trust anchor' for your zone
In most cases, now that the root is actually signed, the former is preferred. You have a DNSKEY
in your zone, and you should submit a DS
record to your parent zone adminstrators. They then sign that record with their own key, and similarly their own DS
records get sent to their parent zone, which might be the root.
This does however require that every level of the DNS between your domain and the root also has DNSSEC.
What is your domain? It's quite possible that your parent domain doesn't yet support DNSSEC.
If they don't, then the next best option is to submit your DS record to ISC's "DLV" repository. This is a well supported DNS feature which allows for secure distribution of trust anchors for domains that don't yet have a fully secure chain of trust all of the way to the "root". Adding your record there will allow other people to validate your domain name.
EDIT ISC's DLV is no longer in operation.