DNSSEC: DS records for subdomain delegation & User Level DNSSEC (SKINS) (TEMPLATES)

Version 1.46


DS records can now be added to the zone in the interface. This is not for the normal DNSSEC zone signing (that's hidden in the signed zone) The DS records in this context are for subdomain zone delegation. If you create a sub.domain.com value as a full domain, it's DS records need to go up the chain of trust. The next link in the chain for a subdomain zone is not your domain registrar, it's your domain.com zone. So, the solution to make sub.domain.com pass the dnssec validation is to add the DS records from the sub.domain.com zone, created with the signing, and place them into the standard DS records in your domain.com zone (aka: this feature). In the future, I may add a setting to automatically add the subdomain DS/NS values into the master domain zone. We'll test out this functionality first, to ensure it works. **** NOTE when you paste in the subdomain DS record into the domain.com zone you must also create NS records for the subdomain in the domain.com zone. subdomain.domain.com. NS ns1.domain.com. subdomain.domain.com. NS ns2.domain.com. where you'd specify the server that holds the subdomain.domain.com zone. (the subdomain zone can exist on a delegated remote server if you need) Without the NS records for the subdomain in the domain's zone, the domain will not be able to resign it's keys. Reported that you only need to add the *first* DS record into higher-level chain (zone one level up). For a sub.domain.com, you'd use the first DS record, and add it to domain.com zone (along with the 2 NS records) Remember: adding/removing values from a signed zone will try to automatically resign the zone. To be sure, manually click the "Sign" button after setting up the DS and NS records in the domain.com zone. Related forum thread: http://forum.directadmin.com/showthread.php?t=49651 ------------------------ The dnssec info will now be displayed in the User Level zone, if dnssec is enabled. new directadmin.conf variable, and it's default value: user_dnssec_control=0 If this is changed to 1, then the "Generate Keys" and "Sign" buttons will be available for user by the User. We may change the user_dnssec_control value to 1 in a future release (undecided) -------------------------------- SKINS admin/dns_admin_control.html user/dns_control.html added new form/line for the DS records. ------------------------------- TEMPLATES named.db added: |?DS_TIME=14400| |DS|

Related Links

Interested to try DirectAdmin? Get a 30-day Free Trial!