DNSSEC and “lazy delegation”

Prior to deploying DNSSEC it has been possible to perform something I’m calling “lazy delegation.” This is when a parent and direct child are served from the same name servers, so NS records in the parent are unnecessary in practice.

While consulting with various clients about how to best deploy their DNSSEC, this is a common discovery. Often times someone just forgot to add NS records, or their tools do not add them. No one notices because their DNS worked.

Now, with DNSSEC in use, the parent must contain a DS record of the child. Suddenly, upon adding these new records and using BIND 9′s command line signer tool, people begin to see the error:

dnssec-signzone: fatal: 'xxxxx.example.com': found DS RRset without NS RRset

This shouldn’t surprise people who are DNS well versed in DNS and its particular details, but to newcomers to DNS and DNSSEC this may be confusing.

The simple solution is to add proper delegation. So, if you $include or manually add DS records for a child zone into you parent, you need to ensure that you also have the correct NS records in place.

Not having them in place is a time bomb anyway because if the list of servers change, such as moving the child to its own DNS servers, you would see head-scratching failures.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

What is 10 + 5 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)