Subdomain DNSSEC
Mark Andrews
marka at isc.org
Mon Aug 28 20:55:21 UTC 2017
In message <ED9ADC96-0796-476D-8D15-C1FBFB6BA77C at ucd.ie>, "Niall O'Reilly" writes:
> On 28 Aug 2017, at 17:06, Michael Dahlberg wrote:
>
> > My apologies if this question has an easily discoverable answer but my
> > google-fu seems to be failing me today.
>
> Try "insecure delegation" against your favourite search engine.
> Here's an example of what searching for this gave me (from DuckDuckGo
> rather than Google):
>
> https://stackoverflow.com/questions/25674236/how-to-create-delegation-sign
> er-ds-record-for-a-subdomain-with-powerdns
>
> > If a domain is signed, is it possible to delegate a subdomain to a
> > 3rd party who is unable to sign that subdomain?
>
> Yes. You need NS records as has always been the case. By simply not
> adding a DS record, you signal an insecure delegation.
>
> You may have problems if the two sets of name servers (for parent and
> child zones) overlap.
This is a well know test case for validating clients and authoritative
servers. You shouldn't have issues. The validator will look for
DS records to prove that the child zone is insecure. The negative
answers will come from the parent zone.
> Best regards,
> Niall O'Reilly
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list