I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error:
DNSKEY found at child, but no DS was found at parent.
Check for DS records in parent zone
We found that none of your DNSKEY records are published at parent. All KSKs (Key Signing Keys) should have a corresponding DS record containing the digest of the key at the parent zone.
Recommendation
Publish DS records for all your DNSKEY (KSK) records in parent DNS zone. This will establish a chain of trust from the parent to your zone.
Anyone know what the problem could be?
I am using webmin for my BIND configuration and it has an option called dnssec verification and I think its done via https://dlv.isc.org/.
I made a screenshot for this:
The problem is exactly per the quoted text.
Validation of DNSSEC-signed data requires either:
In most cases, now that the root is actually signed, the former is preferred. You have a
DNSKEYin your zone, and you should submit aDSrecord to your parent zone adminstrators. They then sign that record with their own key, and similarly their ownDSrecords get sent to their parent zone, which might be the root.This does however require that every level of the DNS between your domain and the root also has DNSSEC.
What is your domain? It's quite possible that your parent domain doesn't yet support DNSSEC.
If they don't, then the next best option is to submit your DS record to ISC's "DLV" repository. This is a well supported DNS feature which allows for secure distribution of trust anchors for domains that don't yet have a fully secure chain of trust all of the way to the "root". Adding your record there will allow other people to validate your domain name.EDIT ISC's DLV is no longer in operation.