Prior to deploying DNSSEC it has been possible to perform something I’m calling “lazy delegation.” This is when a parent and direct child are served from the same name servers, so NS records in the parent are unnecessary in practice.
While consulting with various clients about how to best deploy their DNSSEC, this is a common discovery. Often times someone just forgot to add NS records, or their tools do not add them. No one notices because their DNS worked.
Now, with DNSSEC in use, the parent must contain a DS record of the child. Suddenly, upon adding these new records and using BIND 9’s command line signer tool, people begin to see the error:
dnssec-signzone: fatal: 'xxxxx.example.com': found DS RRset without NS RRset
This shouldn’t surprise people who are DNS well versed in DNS and its particular details, but to newcomers to DNS and DNSSEC this may be confusing.
The simple solution is to add proper delegation. So, if you
$include or manually add DS records for a child zone into you parent, you need to ensure that you also have the correct NS records in place.
Not having them in place is a time bomb anyway because if the list of servers change, such as moving the child to its own DNS servers, you would see head-scratching failures.