i read some older threads on this topic but i’m not sure of the conclusion. also in the domain panel i registered ..dedyn.io and it’s seemingly not getting propagated. is there another way for configuring subdomains?
Hi Som,
not sure what you are asking exactly? Technically example in example.dedyn.io is a subdomain of dedyn.io.
Are you asking about example.dedyn.io or other.example.dedyn.io?
Again it is unclear what you mean exactly?
What is the result of dig example.dedyn.io (or dig other.example.dedyn.io)?
If that does not yield answers try: dig @ns1.desec.io example.dedyn.io (or dig @ns1.desec.io other.example.dedyn.io)
And all of the above specifying AAAA records, e.g. dig example.dedyn.io aaaa, etc.
Also how did you set values for the A or AAAA records? Did that yield a good status?
HTH
fiwswe
Update: I just tried to use something like other.example.dedyn.io. It worked fine.
I was able to update using the https://update.dedyn.io mechanism (see: IP Update API — deSEC DNS API documentation) as well as the web GUI interface. My local DNS resolvers picked up the changes just fine (allowing for TTL timeouts of course).
HTH
fiwswe
hmm apparently it depends on the nameserver. i get a correct answer from ns1.desec.io but not from other (more upstream) nameservers. atm i get an empty answer usually with
‘; EDE: 6 (DNSSEC Bogus)’ just with 1.1.1.1 i get ‘; EDE: 12 (NSEC Missing): 66 61 69 6c 65…’
did i faill to link the subdomain to the domain with dnssec?
also to clarify: this is just about other.example.dedyn.io (so maybe sub-subdomain?)
1 Like
Hi,
Did you create the subdomain as a separate domain? (i.e. you did not create an RRset with the subdomain name in the subname field, and instead created a full domain?)
If so, you need to get DS delegation records at the parent domain, to configure the DNSSEC chain of trust.
Stay secure,
Peter
Did you solve thois problem?
I can use
nslookup myhost.mydomain.dedyn.io ns1.dessec.io
with success, but the dats are not propaged.
nslookup myhost.mydomain.dedyn.io 1.1.1.1
or
nslookup myhost.mydomain.dedyn.io 9.9.9.9
can not find that host after a few hours of waiting for propagatoion.
only to ask Alternate DNS = 76.223.122.150
nslookup myhost.mydomain.dedyn.io 76.223.122.150
was successfull.
My strong feeling is, that google, quad9 and cloudflare do not trust dessec.io
what a pity
Hi halhalhal!
Despite your “strong feeling” that other DNS forwarders do not trust deSEC this is not the case!
deSEC works fine and is trusted as far as that goes. (Actually deSEC as an entity does not need to be trusted by other DNS resolvers. However the individual domains for which deSEC is set up as the authoritative NS need to have the correct chain of trust. And deSEC will make sure that valid DNSKEY, RRSIG and NSEC3 records are generated.)
If a particular domain does not work then you have probably misconfigured something. E.g. missing or incorrect DS records in the parent domain as @peter suggested in his answer above.
You can check this using the DNSViz tool. It will tell you exactly where things go wrong w.r.t. DNSSEC.
fiwswe
Thank you for the suggestion
deSEC works not very fine with DS records.
E.g. missing or incorrect DS records in the parent domain as @peter suggested in his answer above.
He mentionted something undocumented.
the “usual” entry for as DS records looks lie this.
abc.com. @ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42
I did not find any way to add this line in dessec.
As a programmer I would say, it es easy to generate this datas automatically - but ok, I have manually to cut/copy/paste this datas inside a system which knows all datas.
When using cut/copy/paste, the web interface has its own logic and do not show the result.
With try-and-error - which I would not call “work fine”, I found, that the paste of the
- subdomainname is not checked by the interface - I used another interface in the past, so I expected a check - my fault, that dessec is not so improved
- the security information is unexoected changed by the web interface
The subdomain has to be entered exactly without any domain part as abc. or fully qualified with trailing dot as abc.com.
Sound logical? Yes and No, because where I have to enter the @ and IN from the raw format? Nowhere. And this is the point.
I have no idea, what dessec is doing magically and which parts not. The result is not shown, isn’t.
A system with magically adding undocumented parts is not very trustworthy.
The security lines without after DS must be manually copied line by line. First copy to clipboard, into a text editor, and than line by line back into the web interface.
you have probably misconfigured something
I did it right - because all information was entered.
I would not say, that I misconfigured the data in the fails - but the webinterface misconfigered my correct data, by generating a wrong internal records.
So its time to say thank you and goodbye
The DS records go into the parent domain. Is deSEC the authoritative NS for the parent domain? If not, you probably need to interact with your registrar to get them to make the change in the parent domain.
For example if your domain is example.com then the DS records need to go into the com domain for which you will have no direct access. However the registrar that you have registered example.com with should have a method to add/update the DS records in the com domain.
If you are talking about a subdomain of example.dedyn.io, i.e. subdomain.example.dedyn.io, then I have successfully done this (using example and subdomain.example as placeholder names for your names):
- Create the domain
example.dedyn.io. - Create the domain
subdomain.example.dedyn.io. - Add one or more DS records named
subdomaintoexample.dedyn.ioand set their values to the correct values forsubdomain.example.dedyn.io. - Add NS records named
subdomaintoexample.dedyn.iowith valuesns.desec.io.andns2.desec.org..
I have not tried the API in this case but you can certainly set the DS and NS records up using either the API or the web interface.
You seem to be under the misconception that the raw BIND style format is mandatory in some way. It is not. The same information can be presented in different ways and as it happens deSEC uses a very nice web gui or a JSON based API.
BTW. @ is just a shorthand for the domain name. and IN is basically redundant because we are only dealing with internet domains here.
fiwswe
This line is generated by the DNS provider (in this case, deSEC), but it needs to be added in the parent domain (in your example, in the .com zone). That’s why you need to take the DS record and forward it to your domain reseller, where you purchased your domain.
It works the same way like this with all DNS providers, and this complication has nothing to do with deSEC. (Only when the DNS provider is also the domain reseller, they can act without the domain owner telling them to do it.)
I am sorry to say, but you’re on the wrong track regarding how the whole thing works. I’d recommend going over a tutorial that explains the technical concepts, such as this one.
Stay secure,
Peter
You seem to be under the misconception that the raw BIND style format is mandatory in some way. It is not.
That is the point!
If dessec is not using the BIND style - than I expect a documentation about it.
Else I have to do try-and-error.
The dessec style is not BIND style - but what is dessec doing with the data.
It is not automatically setting the DS entry.
And dessec web interface is not able to use the obw datas in a cut/copy/paste style.
Sorry, but the web gui is not nice for me.
The documentes about the JSON based API is missing a lot of information about the names of the values etc. I would not call it nice. How to generate a lifetime token? How to get the token from and token by id. How to set a value inside a token. For example - how to set the “token” value of a token referenced by id. All this seems to be impossible. I would not call the API “nice”.
Yes and no.
All DNS providers have there own interface.
The interface is my problem. The interface is doing some invisible magics.
I guess it is (was) my problem.
Why? Unless you are in fact running BIND many of the DNS providers I have experience with have user interfaces that are different than raw BIND style. deSEC is not implemented using BIND. So why would they care about how BIND does things? The important part is that they correctly implement DNS.
And deSEC has documentation:
https://desec.readthedocs.io/en/latest/
Also the web interface is IMHO very intuitive. If you think it lacks documentation then you might consider contributing that to the open source project.
deSEC can’t set the DS entry in the parent domain. It has no access to the parent domain in the general case.
As @peter wrote this is the same for any DNS provider — unless they also happen to be the domain registrar. Granted, many domain registrars also offer DNS in which case they are in a better position to handle the DS records in the parent domain. OTOH many domain registrars do not offer DNSSEC, or they charge extra for DNSSEC, or their DNSSEC implementation is broken. All of which are the reasons for deSECs existence.
But by all means if you don’t like deSEC don’t use it.
fiwswe
Sorry to revive this thread after a year, but this seems to be the only example in this forum where the setup of a subdomain/CNAME is actually described step by step. For a novice like me, generally knowing what a CNAME record is doesn’t suffice when it comes to setting it up specifically in the Desec environment. Having followed your explanation, I still don’t get a functional subdomain.
So I set up 2 domains in the GUI, like in the example
-
subdomain.example.dedyn.iohaving only the CNAME record and nothing else (pre-set NS record deleted). Here the subname is set tosubdomainand the target hostname is set toexample.dedyn.io. -
example.dedyn.io(already existent) was extended with a DS and (additional) NS record. The DS record got the key tags, digests etc from the subdomain and the subnamesubdomain. The NS record got the subnamesubdomainand was given the same NS as the root domain (ns1.desec.io, ns2.desec.org).
subdomain.example.dedyn.io is still not reachable. In the setup instructions a link to dnssec-analyzer is given, this shows me that almost everything is fine.
What fails is that no DNSKEY records were found (I guess this isn’t really necessary, since there are DS RRsets?) and that there are no known nameservers for subdomain.example.dedyn.io. I checked the NS record multiple times and can’t find any errors.
Do you know anything I can try or have to change in the setup, as mentioned?
Hi Asarhaddon,
Thanks for your message, and welcome to deSEC! 
The steps you described are correct. To debug this further, you’ll have to share your domain name so that it’s possible to take a look.
Stay secure,
Peter
It appears that the issue is that you deleted the subzone’s NS records.
Stay secure,
Peter
This is what I read in some posts in the forum, that a subzone should only contain the CNAME record. And in fact, adding the NS record again later on brings up this error message:
"RRset with conflicting type present: database (CNAME). (No other RRsets are allowed alongside CNAME.) "
So I deleted the subdomain and created it again, and thus having the NS record right from the start (although without subname ). I then created a new CNAME record like before, this way one can have more than 1 RRsets when using CNAME, apparently.
Now dnssec-analyzer.verisignlabs.com shows everything working, but it still isn’t in reality.
Google DNS shows this:
“Authority”: [ { “name”:
subdomain.example.dedyn.io.", “type”: 6 /* SOA */, “TTL”: 300, “data”: “[get.desec.io]. [get.desec.io]. 2023062990 86400 3600 2419200 3600” }
Could it be that this subdomain doesn’t get the A record propagated?
That’s not correct. You can’t have a CNAME at the “root” of a domain (empty subname), as described in the docs: Retrieving and Creating DNS Records — deSEC DNS API documentation
I am wondering where you actually need to create your name as a second domain. Have you considered deleting that second domain, and just creating a CNAME for that subname in your main domain? That way, you don’t run into this problem, and you also don’t need to deal with DS records and all of that.
That is not how it’s working. Are you sure that the CNAME has an empty subname field?
Stay secure,
Peter
I followed this guide, and that’s were the problems began
So I did what you suggested, and it worked! Perhaps, helpful guides like this could have a sticky on top of this forum, so other noobs like me could find them easily?
Thank you very much!