SOA RRset / DNSKEY

Help! (Home for newbies)
1
SYSTEM INFORMATION
OS type and version Ubuntu Linux 24.04.2
Virtualmin version 7.30.4 Pro

Hi

I have some problems with RRset / DNSKEY!

I get an error when I run a Zonemaster test. → https://zonemaster.net/en/result/7d26f09696bd6b8f

2025-03-14_16-18-29
2025-03-14_16-18-291037×254 17.2 KB

I have two servers. One main server and a second server that run as a second DNS server.

How can I get rid af the error in the Zonemaster test?

Please help me in a very noob friendly way - Im a big noob!

EDIT: If DNSKEY at child, parent should have DS

says an IP: “193.163.102.222” that’s is danish register of domains names

Thanks

Thomas

2

This means you need to submit the DS (Delegation Signer) to your registrar. Assuming they support DNSSEC, they would then sign it and serve it, providing a complete chain of trust from root zone down to your zone.

Or, you could just not use DNSSEC. It provides no useful security that TLS doesn’t already provide for the vast majority of users. (Any service that uses TLS is already protected against MITM and spoofing and such. DNSSEC is almost certainly unnecessary complexity.)

3

Hi @Joe

Thanks for the reply - I appreciate it.

Now I got those errors:

https://zonemaster.net/en/result/12a45de5b4ea1156

zonemaster
zonemaster1052×371 24.5 KB

Here are the settings from punktum.dk (The Danish register of .dk domain names.

punktum1
punktum1581×469 11.5 KB

Can you help med with these errors?

Regards

Thomas

4

No, I don’t have answers for those. I don’t use DNSSEC (because it provides no additional security for the stuff I do), so my experience with it is quite limited.

5

But, it seems like you need to use a different digest algorithm when creating the DS.

1 Like
6

Hi @Joe

Okay… - Thanks for the reply

How can i disable DNSSEC??

7

In the same place you enabled it.

But, now that you’ve added a DS at your registrar, you also need to remove that.

1 Like
8

Hi…

Thanks for the reply. - Now my site runs without errors!

I am marking this post as fixed.

1 Like
9

In case you want to understand why I’m dismissive of DNSSEC and assert it provides no useful security benefits for services that can use TLS, this article by a pretty well-known security expert covers it better than I could: Against DNSSEC — Quarrelsome

10

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.