0

I am trying to set DNSSEC on a domain I own and I ran into an issue. When checking the configuration with the following site, I get an error:

http://dnscheck.pingdom.com/troubleshooting.php?domain=dontgetlemon.eu

Broken chain of trust for dontgetlemon.eu - DNSKEY found at child, but no DS was found at parent.

The child seems to use DNSSEC, but the parent has no secure delegation. Because of this, the chain of trust between the parent and the child is broken and validating resolvers will not be able to validate answers from the child.

I am not really sure what to do here, not much experience with setting this up.

Now, let me explain the setup a bit:

  • The registrar for the domain is cloudns.net
  • I am using cloudflare for the domain
  • I have the cloudflare NS in my registrar's panel
  • I added a TXT record for the DS and DNSKEY setup in the registrar's panel. My registrar does not have DNSKEY/DS/NSEC

My TXT records look like this: enter image description here

I also checked my setup using these: http://dnsviz.net/d/dontgetlemon.eu/dnssec/ http://dnssec-debugger.verisignlabs.com/dontgetlemon.eu

Comforse
  • 117

1 Answers1

4

In general, DNSSEC cannot be set up on your dontgetlemon.eu zone alone, but it has to be added to the parent .eu zone, too. Exactly as the Verisign Labs DNSSEC debugger explains:

No DS records found for dontgetlemon.eu in the eu zone.

The parent zone data should include DS records for the child zone. To remedy, the signer of the dontgetlemon.eu zone should send the current DS records to the eu.

The DNSSEC must be enabled via your registrar. They request .eu sign your DS with their own key, making the chain of trust complete.

You state that ClouDNS is your registrar, and ClouDNS doesn't seem to support DNSSEC for master i.e. primary zones. This might be a problem if you use them as a registrar or DNS provider.

Q: Do you support DNSSEC?

A: Yes, we support it for Slave/Backup/Secondary DNS zones.

However, as whoisdb tells, your registar is actually Public Domain Registry.

Registrar:
        Name: PDR Ltd.
        Website: http://www.publicdomainregistry.com

It seems they do have support, but currently the instructions are unavailable (HSTS & invalid CN).

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151