Do subdomains need their own DS records for DNSSEC?
My registrar does not support DNS Management without a hosting package. I wrote to the entity that manages the TLD and the records were added. But I would prefer not to write to them every time I add a subdomain to have DS records added.
7 Replies
Short answer: Yes.
Every sub-delegation (with
NS records) means you have a new delegation to secure, and it require the DS record for the child zone, to be present in the parent zone.
In order for example.com (residing on Cloudflare) to point test.example.com to the name servers at e.g. Amazon Route 53, you will need to add both the NS records, as well as a DS record for test.example.com on the example example.com (through Cloudflare)
If you do not have that DS record (that is matching the DNSKEY stuff on the test.example.com zone on Amazon Route 53), then you would NOT have secured the path for the child delegation from example.com and down to test.example.com.
Re.
But I would prefer not to write to them every time I add a subdomain to have DS records added.It is only the path from
com to example.com, that you need to have secured through your domain registrar for example.com.
The DS record to secure sub-delegations, likeexample.com -> test.example.com will be done in your own example.com zone, on your current DNS service, and do NOT require your registrar's interference, assuming that DNSSEC is already configured through your registrar for example.com.I am using Cloudflare for DNS. So far, I have two subdomains. One for a Cloudflare Pages site and the other for a Gitlab Pages site. I have read this document https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/dnssec/ but I do not understand a thing because my DNSSEC records don't have an option to add other records in Cloudflare Dashboard
Cloudflare Docs
Enable DNSSEC - subdomain setup · Cloudflare DNS docs
As opposed to the normal process for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.
That would normally be done with a couple of
CNAME records.
There would be nothing additional to (re)configure in regards to DNSSEC for that kind of set up (with CNAME).So, in short, after creating the subdomain as a cname, I don't need to do anything else? Because some subdomains will not be proxied, like the Gitlab one.
"Need" is sometimes such a big word. 🤔
If you add a
CNAME from www.example.com to cname.test.example, Cloudflare will automatically do what's needed to be done, in regards to www.example.com, under the condition that example.com is properly set up with DNSSEC.
DNSSEC's security will however, to some degree, be killed if the destination of the CNAME (e.g. cname.test.example above) is not DNSSEC signed.
In order to avoid that, your vendor (e.g. the operator of cname.test.example) would have to make sure their domain has DNSSEC too.
With Cloudflare, you can however try enabling the Proxy status (:cloudflare:) for the CNAME, as an attempt to mitigate that part.
However, the vendor will not be able to see that the CNAME exist with that configuration, - and with many vendors, it often give issues such as e.g.:
1. Their system does not detect that your (sub-)domain is configured to use their platform.
2. Their system won't generate any TLS certificates for your (sub-)domain.Now I am beyond confused because I am not understanding your explanation on the relationship between
example.com and cname.test.example.com. Is there a way to break this down in layperson's language?
My cnames are in the format of test.example.com. My question was whether I need to add any DNSSEC for these and if so, how? Coz I don't see that option in the dashboard.
two subdomains are Cloudflare pages sites (proxied) and the other points to gitlab pages (non-proxied). Cloudflare is the authoritative DNS host.
anyone?My cnames are in the format of test.example.com. My question was whether I need to add any DNSSEC for these and if so, how? Coz I don't see that option in the dashboard.
No, there will not be anything else you can do, from your end, than to configure the CNAME record.