Closed paulwouters closed 3 months ago
Reason for exporting DS record on public domain without NS records is to make internal domain dnssec automation work with RFC 8078. DS record makes automation possible. Using just trust anchor in resolvers won't allow this kind of KSK rollover automation. Also when internal subdomain DS record is published in public dns, trust works for internal dns resolvers without any hacks.
I will admit I've published internal DS records into public dns zones, to allow for the internal resolvers to work.
Marking this to close.
Imagine you want internal.example.com internally, signed with DNSSEC. And you want dns-01 ACME challenges.
You can add a DS without adding NS records. This seems to work (see internal.foobar.fi as an example)
However: https://datatracker.ietf.org/doc/html/rfc3658.html#section-2.2 states:
DS RRsets MUST NOT appear at non-delegation points or at a zone's apex.
Is this something to warn about to not do, or something to advise to do :)