0

I am trying to set DNSSEC on a domain I own and I ran into an issue. When checking the configuration with the following site, I get an error:

http://dnscheck.pingdom.com/troubleshooting.php?domain=dontgetlemon.eu

Broken chain of trust for dontgetlemon.eu - DNSKEY found at child, but no DS was found at parent.

The child seems to use DNSSEC, but the parent has no secure delegation. Because of this, the chain of trust between the parent and the child is broken and validating resolvers will not be able to validate answers from the child.

I am not really sure what to do here, not much experience with setting this up.

Now, let me explain the setup a bit:

  • The registrar for the domain is cloudns.net
  • I am using cloudflare for the domain
  • I have the cloudflare NS in my registrar's panel
  • I added a TXT record for the DS and DNSKEY setup in the registrar's panel. My registrar does not have DNSKEY/DS/NSEC

My TXT records look like this: enter image description here

I also checked my setup using these: http://dnsviz.net/d/dontgetlemon.eu/dnssec/ http://dnssec-debugger.verisignlabs.com/dontgetlemon.eu

Comforse
  • 117
  • 7
  • Please be warned that DNSSEC need at least a little experience and a strong discipline. If you are just starting with it, try to use non production domains to play with them and read a lot of documentation. Also if you can not put DNSKEY records in your zone due to your current hoster, you can stop there: DNSSEC will never work for your domain, you can not just replace DNSKEY records by TXT ones and hope that will work... – Patrick Mevzek Nov 27 '17 at 15:44

1 Answers1

4

In general, DNSSEC cannot be set up on your dontgetlemon.eu zone alone, but it has to be added to the parent .eu zone, too. Exactly as the Verisign Labs DNSSEC debugger explains:

No DS records found for dontgetlemon.eu in the eu zone.

The parent zone data should include DS records for the child zone. To remedy, the signer of the dontgetlemon.eu zone should send the current DS records to the eu.

The DNSSEC must be enabled via your registrar. They request .eu sign your DS with their own key, making the chain of trust complete.

You state that ClouDNS is your registrar, and ClouDNS doesn't seem to support DNSSEC for master i.e. primary zones. This might be a problem if you use them as a registrar or DNS provider.

Q: Do you support DNSSEC?

A: Yes, we support it for Slave/Backup/Secondary DNS zones.

However, as whoisdb tells, your registar is actually Public Domain Registry.

Registrar:
        Name: PDR Ltd.
        Website: http://www.publicdomainregistry.com

It seems they do have support, but currently the instructions are unavailable (HSTS & invalid CN).

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • The "This can be understood as not supporting DNSSEC for master i.e. primary zones." bit does not appear relevant in this case as they are only the registrar in this case. – Håkan Lindqvist Nov 26 '17 at 11:29
  • Thank's Håkan. I didn't check that as it's stated in the question that "The registrar for the domain is cloudns.net". – Esa Jokinen Nov 26 '17 at 11:30
  • OP is using Cloudflare for their actual DNS services, but is showing a screenshot from Cloudns's dns services interface (a service they are not using) with mangled DS records as TXT. So the question is rather just how one actually adds `DS` through Cloudns, something which I am not sure of, it could potentially be a problem but that is not covered in the FAQ you linked to. may be worth asking Cloudns if it's not readily available in the registrar part of their web interface. – Håkan Lindqvist Nov 26 '17 at 11:37
  • (If their statement that cloudns is their registrar is false, of course that changes things further) – Håkan Lindqvist Nov 26 '17 at 11:40
  • Both cases are now covered with sufficient accuracy. :) – Esa Jokinen Nov 26 '17 at 11:41
  • 1
    @EsaJokinen Ok, I contacted cloudns and they said they are planning to support DNSSEC not only for the slave zones, but they don not have an ETA. So your post answers my questions. Thanks. – Comforse Nov 27 '17 at 20:42