Hi,
What must I do to sign all my DNS records with DNSSec. Must I create 3 DS records in my create zone with the keys a got?
Any help is welcome.
Dear Ron, deSEC signs all your records automatically. You can check the signature status with some online tools, e.g. the verisign DNSSEC analyzer, https://dnssec-analyzer.verisignlabs.com/.
Cheers
I checked my domain name with that tool and there I got an error message:
No DS records found for {domain} in the com zone
So that is why as was asking If I had to publish some DS keys.
I’ve solve the problem. The 3 DS key I got I had to publish by my domain registar.
Hi. No need to record the three keys together in a domain registrar. I am using only sha-256. You can control your ds records https://zonemaster.iis.se/en/
Thanks for this info.
I noticed it also more secure, not to use the SHA-1 key anymore.
There are serveral warnings, I got with from different tools.
|Warn| SOA MNAME entry | WARNING: SOA MNAME (set.an.example) is not listed as a primary nameserver at your parent nameserver!|
|Warn| SOA Serial |Your SOA serial number is: 2020065239. This can be ok if you know what you are doing.|
|Warn|SOA RETRY|Your SOA RETRY value is: 86400. That is NOT OK|
The nmane field is not filled in correctly:
No IP address found for SOA ‘mname’ nameserver (set.an.example).
The value of this field is set.an.example, not a real address.
Could that be solved?
Hi Ron,
Those issues are non-issues: The SOA retry value is perfectly fine. For the mname value, see Invalid SOA record.
Stay secure,
Peter