Adding DS Records for Subdelegated Domains

Fri Aug 4 11:39:27 UTC 2017

rams <bramesh80 at gmail.com> wrote:

> we have two scenarios as follows. Is there any chance to copy DS records
> through AXFR or any another method to copy child DS records into parent
> zone.

Sort of...

> Scenario 1:
>
> Customer has domain2.com on Bind1 signed with DS records for domain2.com at
> place with registrar. Customer delegates a zone (sub.domain2.com) from
> Bind1 to another DNS provider and wants to sign domain on the other provider
>
> Assumption: We would have to host the DS records for sub.domain2.com in the
> zone file domain2.com. They'd need to sign the zone on the other provider.

This is a bit tricky, because of the need to set up the chain of trust in
a secure manner. There are a few relevant specs:

RFC 7344 specifies CDS and CDNSKEY records, which allow a child zone to
instruct its parent to update its existing DS records, allowing automated
KSK rollovers. It doesn't help with establishing trust.

RFC 8078 extends RFC 7344 in a few ways. It has a fairly clear spec for
how a child zone can choose to go insecure (which might be necessary
before transferring a domain to another provider, because secure domain
transfers are difficult). It also has some choose-your-own-adventure
suggestions for how to establish trust in the first place.

Then there is draft-ietf-regext-dnsoperator-to-rrr-protocol which
describes an HTTP-based API that fills in the missing parts of RFC 8078.
The parent issues domain authorization challenge via the API, which the
child has to publish as a _delegate TXT record, to establish the chain of
trust.

I'm not aware of very much code out there to implement these specs. I'm
working on an RFC 7344 implementation, and for the latter there is
https://github.com/APNIC-net/dns-rrr

> Scenario 2:
>
> Customer has DS records for domain3.com at registrar and has domain3.com
> and sub.domain3.com as separate zones on Bind1.
>
> Question: Since this all on the same provider do the DS records only need
> to exist at registrar? Will the separate zone create an issue since it (
> sub.domain3.com) is not the same zone as what has DS records at the
> provider (domain3.com)?

In this situation the DS records at the registrar only authenticate
domain3.com; you also need DS records in domain3.com to authenticate the
delegation to sub.domain3.com. (DNSSEC does not allow the old bad practice
of hosting a child zone on the same servers as its parents but without a
delegation.)

If you are using dnssec-signzone, there is some support for automatically
managing delegations when both parent and child are signed by the same
system. When signing a (child) zone it will emit a dsset- file contining
the DS records that the parent should publish. When signing a zone
containing delegations, you can give it the -g option to make it look for
dsset- files to insert into the signed zone to authenticate the
delegations.

If you are doing fully-automatic signing with named, then you'll need to
use dnssec-dsfromkey on the child zone's keys to create a dsset- file, and
then you will have to insert the result into the parent, e.g. using
`nsupdate`, or if you are using inline-signing, $INCLUDE in the unsigned
version of the zone.

Either way you will need to do some careful scripting to automate the
process - the tooling that comes with BIND is not quite complete.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Shannon, Rockall, Malin, Hebrides: West or northwest, 4 or 5, decreasing 3 at
times. Moderate. Showers, thundery later in Shannon. Good occasionally poor
later in Shannon.