Introduction
This article discusses the steps needed to authorize DNSSEC validation for a child zone of a subdomain.
Procedure
Sometimes it becomes necessary to separate a subdomain into its own zone file. When using DNSSEC you will need to configure the authority chain to ensure that the new zone is able to pass validation. To accomplish this, you will need to enable DNSSEC for both zones and configure the subdomain's NS and DS records in the parent zone.
Enabling DNSSEC
You will first need to enable DNSSEC on both the parent and subdomain zones. To enable DNSSEC for the zone files, you will need to generate DNSSEC keys in the cPanel Zone Editor or WHM DNS Zone Manager. This option can be located by clicking the DNSSEC button next to the applicable domain name. For more details regarding these interfaces, see the following documentation.
For users to view and manage DNSSEC keys in the cPanel interface, the feature Manage DNSSEC will need to be enabled. For additional information, see the following article.
If the parent zone was not previously configured for DNSSEC validation, you will need to configure the parent zones DNSSEC key at the registrar before proceeding with the following steps.
Add the NS/DS records
Once the zones are configured for DNSSEC validation, you will then need to configure the DS and NS records of the subdomain in the parent zone. Unlike the previous steps, the NS and DS record types can only be managed through the WHM DNS Zone Manager interface.
The DS records are generated automatically when creating the DNSSEC key. These can be viewed through both the WHM DNS Zone Manager and cPanel Zone Editor by clicking the button labeled View DS Records under the DNSSEC section for the domain. You will need to copy the Key Tag, Algorithm, Digest Type, and Digest for the zone record that will be added.
You can also find the DS records using the pdnsutil command below. Where domain.tld represents the domain you are checking.
pdnsutil show-zone domain.tld
The NS records will be configured with the preferred nameservers, but it is advisable that both the parent and subdomain use the same ones.
Once both records types have been added, the parent zone will provide confirmation that the subdomain zone is authorized with the key associated with the DS records at the nameservers configured in the NS records. If configured correctly, the records in the parent zone will look something like the following example.
sub.domain.tld. 14400 IN NS ns1.domain.tld.
sub.domain.tld. 14400 IN NS ns2.domain.tld.
sub.domain.tld. 14400 IN DS Key Tag: 12345 Algorithm: 3-DSA/SHA-1 Digest Type: 1-Sha-1 Digest: bbb00112233445566778abc123456789defg
To verify your zones are correctly configured, see the following article.
How do I know if DNSSEC is enabled on a domain?