none
DNSSEC DS records not created in parent zones RRS feed

  • Question

  • Hi,

    We're in the process of enabling DNSSEC for all zones of our Active Directory domain. We use Windows Server 2012 R2 domain controllers and DNS servers.

    So far, I've been able to sign several of our DNS zones. Many of those zones are part of a multi-level hierarchy, like:

    mydomain.com
      +-> site.mydomain.com
        +-> department.site.mydomain.com

    etc.

    DNSSEC validation works fine as long as we publish trust anchors for each signed zone. However, the expected behaviour is to rely on DS records published in a parent zone to validate the trust of a subdomain.

    Our problem is that no DS record was ever added to any parent zone. I can see valid dsset-* and keyset-* files are created in the C:\Windows\system32\DNS folder, but there is no DS record on the DNS server. I tried to re-sign the zone with

    Invoke-DnsServerZoneSign -ZoneName mydomain.com -DoResign -Force

    But it did not change anything. All zones were signed with default parameters, and we have one KSK and one ZSK for all zones.

    The official documentation states that:


    Apparently, something is not working as expected. Do you have any clue about what's going on ?

    Thanks,

    Marin.






    Tuesday, May 23, 2017 1:31 PM

Answers

All replies

  • Hi Marin Bernard (PEP06)

    Please check if the following link is helpful:

    https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 24, 2017 6:54 AM
  • Hi Candy,

    Thank you for the link but I think I know how DNSSEC works. I have a very specific issue with DS records which should be created automatically at zone re-signing according to Microsoft documentation, but are not. I wonder why. Can you help me ?

    Thanks,

    Marin.

    Wednesday, May 24, 2017 9:03 AM
  • Hi Marin Bernard (PEP06)

    >>I have a very specific issue with DS records which should be created automatically at zone re-signing according to Microsoft documentation, but are not.

    Based on the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, May 29, 2017 9:35 AM
  • Hi Marin,

    The child DS needs to be imported into the parent zone. Please see: https://technet.microsoft.com/library/dn593672.aspx#DS 

    Let me know if you have questions.

    Thanks,

    -Greg

    Thursday, September 14, 2017 10:23 PM
    Owner