Re: Subdomain DNSSEC
In message , "Niall O'Reilly" writes: > On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: > > > My apologies if this question has an easily discoverable answer but my > > google-fu seems to be failing me today. > >Try "insecure delegation" against your favourite search engine. >Here's an example of what searching for this gave me (from DuckDuckGo >rather than Google): > > https://stackoverflow.com/questions/25674236/how-to-create-delegation-sign > er-ds-record-for-a-subdomain-with-powerdns > > > If a domain is signed, is it possible to delegate a subdomain to a > > 3rd party who is unable to sign that subdomain? > >Yes. You need NS records as has always been the case. By simply not >adding a DS record, you signal an insecure delegation. > >You may have problems if the two sets of name servers (for parent and >child zones) overlap. This is a well know test case for validating clients and authoritative servers. You shouldn't have issues. The validator will look for DS records to prove that the child zone is insecure. The negative answers will come from the parent zone. >Best regards, >Niall O'Reilly > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain DNSSEC
On Mon, Aug 28, 2017 at 12:25 PM, Niall O'Reilly wrote: > On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: > >> My apologies if this question has an easily discoverable answer but my >> google-fu seems to be failing me today. > > > Try "insecure delegation" against your favourite search engine. > Here's an example of what searching for this gave me (from DuckDuckGo > rather than Google): > > https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns > >> If a domain is signed, is it possible to delegate a subdomain to a 3rd >> party who is unable to sign that subdomain? > > > Yes. You need NS records as has always been the case. By simply not > adding a DS > record, you signal an insecure delegation. Yup, exactly -- take .com as an example -- it is a signed zone, but there are a large number of unsigned subdomains in it. W > > You may have problems if the two sets of name servers (for parent and > child zones) > overlap. > > Best regards, > Niall O'Reilly > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain DNSSEC
On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: My apologies if this question has an easily discoverable answer but my google-fu seems to be failing me today. Try "insecure delegation" against your favourite search engine. Here's an example of what searching for this gave me (from DuckDuckGo rather than Google): https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns If a domain is signed, is it possible to delegate a subdomain to a 3rd party who is unable to sign that subdomain? Yes. You need NS records as has always been the case. By simply not adding a DS record, you signal an insecure delegation. You may have problems if the two sets of name servers (for parent and child zones) overlap. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Subdomain DNSSEC
My apologies if this question has an easily discoverable answer but my google-fu seems to be failing me today. If a domain is signed, is it possible to delegate a subdomain to a 3rd party who is unable to sign that subdomain? For example, I own example.com and its signed. I'd like to delegate subdomain.example.com to a 3rd party that uses Amazon Route53 and therefore can't sign subdomain.example.com. My understanding, and this may be incorrect, is that if a client's resolver verifies signatures, then any resolution of subdomain.example.com would result in an error because there would not be a valid signature for each node in subdomain.example.com. As I said, I may be incorrect here. Thanks for any and all comments. Mike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users