This is my setup
Domain: nginx-repo[.]com (Registered at GoDaddy)
Nameserver: A DigitalOcean VM running BIND on Debian 7
I created a zone for the above mentioned domain on my VM then used dnssec-keygen
and dnssec-signzone
to setup and sign the zone file.
The DS records
# cat dsset-nginx-repo.com.
nginx-repo.com. IN DS 22728 7 1 7EAA739B73EDB97A3E352435F7064D9865AAF45E
nginx-repo.com. IN DS 22728 7 2 6812A504A54E37DDCBD3EB2913A53336AD4D132C619F7F98B45F91A6 98131231
Now I logged into GoDaddy and tried entering the first DS record but got the error - We are unable to validate your data at this time. Please try again later. If the problem persists, contact customer support.
So I contacted GoDaddy via live chat and in short this is what happened.
Me: I'm getting so and so error when entering DS records
They: You need Premium DNS for DNSSEC
Me: But your documentation (http://support.godaddy.com/help/article/6135/dnssec-faq) says I can configure Self-Managed DNSSEC with custom nameservers
They: Yes but you must have control over signing your zones
Me: I do the NS is hosted on a DigitalOcean VPS on which I have root access
They: But not in THIS account the zone file must be controlled by THIS account.
After some argument this is what they said
The Domain name has to be within the same account with the Premium DNS ... most people will also have their VPS on the same account to prevent cross account errors like this
Me: :-S :-S :-S :-S
What is wrong here? Did I configure DNSSEC incorrectly in BIND?
Or do I have to signup with GoDaddy VPS to use Self-Managed DNSSEC :-D :-D
Here is a dig
output
# dig DNSKEY +multiline nginx-repo.com @dns.nginx-repo.com
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DNSKEY +multiline nginx-repo.com @dns.nginx-repo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31501
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;nginx-repo.com. IN DNSKEY
;; ANSWER SECTION:
nginx-repo.com. 86400 IN DNSKEY 257 3 7 (
AwEAAaqoS3iOSx6zKrlp28xrLfL4VX4OTCOc5wiUQYy0
xV0Z1Duq2NHEbJAniAF9K4Hgp+YbvpheF667+1gKLeuc
RO6DiHAp08kQf45fo6NVvdWSqQlH5JS9bdawx1BtKi/k
BXLWtL+j9wJ+Xn2MmwyAvSEZ+XBnSnZmSkK5AqKd99A5
/UTNazgnwrsVIeBswczh+L/Fl55dAfoJfeFdBjK0ttHg
mrydkfYV+pK/poMQEbIcfxA3CHql7J7aXQWsqVozlXwM
mDZ9rJ9dtY4fySSA5apF1P5ulnvSRyvpRHP9Nr6IDP9q
PmIkmQYy3N+wADIbSvAloCEhyHy3hHzmD/B033O7Pk1T
KjVx9Xiso3NvT2lipgZdWUffiC5Az3XJNeAbp1nNg8Rn
5ZDyLf1yusBzxvV+bjybKBxj5SQHOJWtPu8BuczEEcW+
mSOtRPxPg90idbMGrW3QgVTqx3fp/CfJbDpffZ8scpOg
dFoQ9/sjib/BYt8zgadU0fmQD0MvGm9OLB713I9Zbi/I
lMhephDaFcK4BRRY08BYwh53pWw32OnUmj6aqPFOsok9
pYVkpzFDHifw4dcvGj0aFk4FKcNyXDqLwpT4rQNDRWaN
7WRLViglBzVEfesGZN6GGgL9gJIfLuCovbLEhRIUYql/
wNG83GKMAK7Nx7gvqfeKsmesYeKL
) ; key id = 22728
nginx-repo.com. 86400 IN DNSKEY 256 3 7 (
AwEAAc+8SlNMiwtQT6/1NitlWBPg7dx53A7cmP3tg75Q
PlEqQrTRzf4+j5JPTfV/dHjwd4lXpEYxi+YMT8e3q9KM
SyBuZSIGJc+rBsdPDqaWPLL8J8/D3mK4cGOPvD8BIs4V
Zo+v9sMm4PQsXkcntGJ45UPTflGghss8MNveg1U/+irL
oIOm7jP2iLS6lPdhxrpuoXH8nBMIvjMxAQBRAlxkUjO1
X9OOw+G/rCrcjyv7gyt7ihy1+CZCrrQE7Mg629BHCkMv
40bLt5SdW9+IXe4soVNo+4gR9XgGDXTikztN/ZoAAjiJ
Z9uwsJ3C1FGxwyH3/EwafhxXXDnDmHL3+oCUvfs=
) ; key id = 2579
;; Query time: 0 msec
;; SERVER: 192.241.253.191#53(192.241.253.191)
;; WHEN: Mon Nov 25 19:42:10 2013
;; MSG SIZE rcvd: 840