Subdomain DNSSEC
Niall O'Reilly
niall.oreilly at ucd.ie
Mon Aug 28 16:25:09 UTC 2017
On 28 Aug 2017, at 17:06, Michael Dahlberg wrote:
> My apologies if this question has an easily discoverable answer but my
> google-fu seems to be failing me today.
Try "insecure delegation" against your favourite search engine.
Here's an example of what searching for this gave me (from DuckDuckGo
rather than Google):
https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns
> If a domain is signed, is it possible to delegate a subdomain to a
> 3rd party who is unable to sign that subdomain?
Yes. You need NS records as has always been the case. By simply not
adding a DS
record, you signal an insecure delegation.
You may have problems if the two sets of name servers (for parent and
child zones)
overlap.
Best regards,
Niall O'Reilly
More information about the bind-users
mailing list