none
DNSSEC DS Records from a sub-domain not propagating to secondary DNS server

    Question

  • I am using Windows DNS on Windows 2012 R2

    I have a domain (constitutionalrightspac.com) that is signed with DNSSEC I also have a subdomain, (act.constitutionalrightspac.com) that is also signed

    The DS records for the constitutionalrightspac.com domain were uploaded to the registrar (for inclusion into the "com" domain

    The DS records for the sub-domain were in the parent zone (constitutionalrightspac.com).
    The DS records that were put into constitutionalrightspac.com are not propagating to the secondary DNS server.

    When using this site: http://dnssec-debugger.verisignlabs.com/, both domains seems to check out

    But using the following sites

    http://dnsviz.net/d/act.constitutionalrightspac.com/dnssec/
    http://dnscheck.pingdom.com/

    Both come up with errors that i have no clue how to go about fixing....

    Thank you in advance for any help.....


    Wednesday, May 25, 2016 3:49 PM

All replies

  • Hi larrytechcr,

    >>http://dnsviz.net/d/act.constitutionalrightspac.com/dnssec/

    According the DNSSEC Authentication Chain error of act.constitutionalrightspac.com,it said the signature of RRSIG RR is not validate.Please check this KB:

    DNS queries fail on secondary DNS server running Windows Server 2012 R2 or Windows Server 2012

    https://support.microsoft.com/en-us/kb/2964090

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 26, 2016 2:56 AM
    Moderator
  • Thank you for the response ---   as far as i can tell these articles end up pointing to updates what should have been including in standard windows update.   I have made sure both system are completly up to date --- and i am still have the problem
    Thursday, May 26, 2016 5:30 AM
  • Hi,

    Sorry for delay.May be this will give you some hints:

    Checking the RRSIG RR Validity

       A security-aware resolver can use an RRSIG RR to authenticate an
       RRset if all of the following conditions hold:

       o  The RRSIG RR and the RRset MUST have the same owner name and the
          same class.

       o  The RRSIG RR's Signer's Name field MUST be the name of the zone
          that contains the RRset.

       o  The RRSIG RR's Type Covered field MUST equal the RRset's type.

       o  The number of labels in the RRset owner name MUST be greater than
          or equal to the value in the RRSIG RR's Labels field.

       o  The validator's notion of the current time MUST be less than or
          equal to the time listed in the RRSIG RR's Expiration field.

       o  The validator's notion of the current time MUST be greater than or
          equal to the time listed in the RRSIG RR's Inception field.

       o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
          match the owner name, algorithm, and key tag for some DNSKEY RR in
          the zone's apex DNSKEY RRset.

       o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
          RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
          set.

    REF:https://www.ietf.org/rfc/rfc4035.txt

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 8, 2016 3:08 AM
    Moderator