1

I have this hidden master DNS nameserver notifying and updating the two public slave DNS servers:

  • my own VPS running Debian/Bind9 DNS
  • 3rd-party secondary nameserver provider (afraid.org)

I finally got DNSSEC working with the hidden master and my public slave server (VPS).

Now I am searching high and low for a secondary nameserver service provider that can ALSO support DNSSEC. I couldn't find one. I couldn't understand why.

Then I saw this clue on GoDaddy Secondary NameServer wiki:

  • "You cannot use both DNSSEC and Secondary DNS with the same domain name."

Why can't a 3rd party provide asecondary name server with DNSSEC?

Tommiie
  • 5,547
  • 2
  • 11
  • 45
John Greene
  • 799
  • 7
  • 28

3 Answers3

6

As has been noted, the quoted statement is one service provider noting a limitation in their own service, it's not a universal truth.

All that is really needed to make what you ask for work is this:

  • Slave nameserver gets an exact copy of the full zone data (including public keys, signatures, everything) such as what happens with a normal zone transfer (AXFR/IXFR), and simply uses the received zone data verbatim, no mucking about with the data.
  • Slave nameserver software supports DNSSEC. Ie, supports EDNS0, knows to act on the DNSSEC-relevant flags in the header/EDNS0 fields (such as returning relevant RRSIG/NSEC in responses to queries that request DNSSEC).

As for why the service provider referenced in the question cannot do this, you will really need to direct the question to them to get a proper answer.
Maybe they are using some custom or outdated nameserver software that cannot meet the above requirements? Maybe it's some kind of policy decision that is not even purely technical?

If you look at service providers that have more of a focus on DNS hosting, my impression is that requirements like the above are usually a non-issue (provided they have a slave nameserver option in the first place).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • 1
    Or the secondary does not support NSEC3 and can not use the NSEC3PARAM record in the primary that is needed to compute proper NSEC3 replies for DNSSEC protected NXDOMAIN replies. – Patrick Mevzek Aug 31 '18 at 02:46
  • @PatrickMevzek In terms of knowing which records to return in negative responses, it would need to be NSEC3-aware. True. (The NSEC3 records are all prepared, but it needs to know how to deal with them.) – Håkan Lindqvist Aug 31 '18 at 05:49
  • I'm finding that Hurricane Electric finally offers TSIG-based AFXR secondary nameserver now. https://web.archive.org/web/20181206122203/https://dns.he.net/ – John Greene Jun 07 '20 at 13:55
2

That's not a universally true statement. It's probably either their own limitation or tries to say that the secondary name server cannot sign the records. When DNSSEC is enabled, the primary name server does the signing. Therefore, it's also the only authoritative name server that needs to hold the private signing key. Then, any secondary name servers should be able to transfer the already signed zone using AXFR zone transfer.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • "that the secondary name server cannot sign the records" it does not need to, if signatures are precomputed they are in the zone, the secondary just get all of them from the primary, it does not need to have the private key at all. The only thing he may need to do that needs coordination with the primary is related to NSEC3. The secondary needs to understand the NSEC3PARAM record and use it for replying to NXDOMAIN queries. – Patrick Mevzek Aug 31 '18 at 02:45
1

I am using ClouDNS as secondary DNS for DNSSEC signed zones and it works without problems (but you need paid account for secondaries).

freedns.42.pl provides free DNS servers (both primary and secondary) and as far as I remember secondaries support DNSSEC without a problem.

Tomek
  • 2,950
  • 1
  • 15
  • 9