Adding DS record to parent in DNS

domain-name-system nameserver dnssec

Solution 1:

The problem is exactly per the quoted text.

Validation of DNSSEC-signed data requires either:

  1. a complete chain of trust from the root zone down to your own, or
  2. configuration of a specific 'trust anchor' for your zone

In most cases, now that the root is actually signed, the former is preferred. You have a DNSKEY in your zone, and you should submit a DS record to your parent zone adminstrators. They then sign that record with their own key, and similarly their own DS records get sent to their parent zone, which might be the root.

This does however require that every level of the DNS between your domain and the root also has DNSSEC.

What is your domain? It's quite possible that your parent domain doesn't yet support DNSSEC.

If they don't, then the next best option is to submit your DS record to ISC's "DLV" repository. This is a well supported DNS feature which allows for secure distribution of trust anchors for domains that don't yet have a fully secure chain of trust all of the way to the "root". Adding your record there will allow other people to validate your domain name.

EDIT ISC's DLV is no longer in operation.

Related

Linux RAID 1: How to make a secondary HD boot?
iLo and DRAC equivalents
How to route email to a script
How to setup a Postfix SMTP-only for multiple domains
openvpn client override default gateway for vpn sever
how to pre-create directories on linux for file storage
Multiplexed 1 Gbps Ethernet?
ubuntu server, ssh, write failed: broken pipe
Can you unapply a puppet manifest action?
Debian/OVH: How to configure multiple Failover IP on the same Xen (Debian) Virtual Machine?
Need help with recovering RAID array
Managing many entries in Route53