Are subdomains possible?

i read some older threads on this topic but i’m not sure of the conclusion. also in the domain panel i registered and it’s seemingly not getting propagated. is there another way for configuring subdomains?

Hi Som,

not sure what you are asking exactly? Technically example in is a subdomain of

Are you asking about or

Again it is unclear what you mean exactly?

What is the result of dig (or dig

If that does not yield answers try: dig (or dig
And all of the above specifying AAAA records, e.g. dig aaaa, etc.

Also how did you set values for the A or AAAA records? Did that yield a good status?


Update: I just tried to use something like It worked fine.

I was able to update using the mechanism (see: IP Update API — deSEC DNS API documentation) as well as the web GUI interface. My local DNS resolvers picked up the changes just fine (allowing for TTL timeouts of course).


hmm apparently it depends on the nameserver. i get a correct answer from but not from other (more upstream) nameservers. atm i get an empty answer usually with
‘; EDE: 6 (DNSSEC Bogus)’ just with i get ‘; EDE: 12 (NSEC Missing): 66 61 69 6c 65…’
did i faill to link the subdomain to the domain with dnssec?

also to clarify: this is just about (so maybe sub-subdomain?)

1 Like


Did you create the subdomain as a separate domain? (i.e. you did not create an RRset with the subdomain name in the subname field, and instead created a full domain?)

If so, you need to get DS delegation records at the parent domain, to configure the DNSSEC chain of trust.

Stay secure,

Did you solve thois problem?

I can use

with success, but the dats are not propaged.
can not find that host after a few hours of waiting for propagatoion.
only to ask Alternate DNS =
was successfull.

My strong feeling is, that google, quad9 and cloudflare do not trust
what a pity

Hi halhalhal!

Despite your “strong feeling” that other DNS forwarders do not trust deSEC this is not the case!

deSEC works fine and is trusted as far as that goes. (Actually deSEC as an entity does not need to be trusted by other DNS resolvers. However the individual domains for which deSEC is set up as the authoritative NS need to have the correct chain of trust. And deSEC will make sure that valid DNSKEY, RRSIG and NSEC3 records are generated.)

If a particular domain does not work then you have probably misconfigured something. E.g. missing or incorrect DS records in the parent domain as @peter suggested in his answer above.

You can check this using the DNSViz tool. It will tell you exactly where things go wrong w.r.t. DNSSEC.


Thank you for the suggestion

deSEC works not very fine with DS records.

E.g. missing or incorrect DS records in the parent domain as @peter suggested in his answer above.
He mentionted something undocumented.

the “usual” entry for as DS records looks lie this. @ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42

I did not find any way to add this line in dessec.

As a programmer I would say, it es easy to generate this datas automatically - but ok, I have manually to cut/copy/paste this datas inside a system which knows all datas.

When using cut/copy/paste, the web interface has its own logic and do not show the result.

With try-and-error - which I would not call “work fine”, I found, that the paste of the

  • subdomainname is not checked by the interface - I used another interface in the past, so I expected a check - my fault, that dessec is not so improved
  • the security information is unexoected changed by the web interface

The subdomain has to be entered exactly without any domain part as abc. or fully qualified with trailing dot as
Sound logical? Yes and No, because where I have to enter the @ and IN from the raw format? Nowhere. And this is the point.
I have no idea, what dessec is doing magically and which parts not. The result is not shown, isn’t.
A system with magically adding undocumented parts is not very trustworthy.

The security lines without after DS must be manually copied line by line. First copy to clipboard, into a text editor, and than line by line back into the web interface.

you have probably misconfigured something
I did it right - because all information was entered.
I would not say, that I misconfigured the data in the fails - but the webinterface misconfigered my correct data, by generating a wrong internal records.

So its time to say thank you and goodbye

The DS records go into the parent domain. Is deSEC the authoritative NS for the parent domain? If not, you probably need to interact with your registrar to get them to make the change in the parent domain.

For example if your domain is then the DS records need to go into the com domain for which you will have no direct access. However the registrar that you have registered with should have a method to add/update the DS records in the com domain.

If you are talking about a subdomain of, i.e., then I have successfully done this (using example and subdomain.example as placeholder names for your names):

  • Create the domain
  • Create the domain
  • Add one or more DS records named subdomain to and set their values to the correct values for
  • Add NS records named subdomain to with values and

I have not tried the API in this case but you can certainly set the DS and NS records up using either the API or the web interface.

You seem to be under the misconception that the raw BIND style format is mandatory in some way. It is not. The same information can be presented in different ways and as it happens deSEC uses a very nice web gui or a JSON based API.

BTW. @ is just a shorthand for the domain name. and IN is basically redundant because we are only dealing with internet domains here.


This line is generated by the DNS provider (in this case, deSEC), but it needs to be added in the parent domain (in your example, in the .com zone). That’s why you need to take the DS record and forward it to your domain reseller, where you purchased your domain.

It works the same way like this with all DNS providers, and this complication has nothing to do with deSEC. (Only when the DNS provider is also the domain reseller, they can act without the domain owner telling them to do it.)

I am sorry to say, but you’re on the wrong track regarding how the whole thing works. I’d recommend going over a tutorial that explains the technical concepts, such as this one.

Stay secure,

You seem to be under the misconception that the raw BIND style format is mandatory in some way. It is not.

That is the point!
If dessec is not using the BIND style - than I expect a documentation about it.
Else I have to do try-and-error.

The dessec style is not BIND style - but what is dessec doing with the data.
It is not automatically setting the DS entry.
And dessec web interface is not able to use the obw datas in a cut/copy/paste style.

Sorry, but the web gui is not nice for me.
The documentes about the JSON based API is missing a lot of information about the names of the values etc. I would not call it nice. How to generate a lifetime token? How to get the token from and token by id. How to set a value inside a token. For example - how to set the “token” value of a token referenced by id. All this seems to be impossible. I would not call the API “nice”.

Yes and no.
All DNS providers have there own interface.
The interface is my problem. The interface is doing some invisible magics.
I guess it is (was) my problem.

Why? Unless you are in fact running BIND many of the DNS providers I have experience with have user interfaces that are different than raw BIND style. deSEC is not implemented using BIND. So why would they care about how BIND does things? The important part is that they correctly implement DNS.

And deSEC has documentation:

Also the web interface is IMHO very intuitive. If you think it lacks documentation then you might consider contributing that to the open source project.

deSEC can’t set the DS entry in the parent domain. It has no access to the parent domain in the general case.

As @peter wrote this is the same for any DNS provider — unless they also happen to be the domain registrar. Granted, many domain registrars also offer DNS in which case they are in a better position to handle the DS records in the parent domain. OTOH many domain registrars do not offer DNSSEC, or they charge extra for DNSSEC, or their DNSSEC implementation is broken. All of which are the reasons for deSECs existence.

But by all means if you don’t like deSEC don’t use it.