Information about DNS and network

Hey all, so I have a MailChimp and it told me to verify my domain. My txt went through, (v=spf1 include:servers.mcsv.net ?all)

But, my Cname will not go through. I created a Cname file with the name k1._domainkey and the value dkim.mcsv.net.

What I’m assuming is the period is messing the whole thing up, everytime I delete the period and save changes it reappears.

I don’t think it’s the TTL as the TXT went through as soon as I entered it…

Any solutions to my dilemma?

Sorry, probably a basic question but I am new to DNS.

I have added a custom A record in my cpanel (football.mysite.com) . I have set this to point to the same IP as my domain mysite.com.

​

Should football.mysite.com now show mysite.com ? I tried this and get a Not Found page and the support chat for my hosting company say I need to add football as a sub domain. Slightly confused!

What steps should I take to authenticate the DNSKEY when I type in this command in my terminal? “dig +dnssec com DNSKEY”

I have a question about DNSSEC on windows DNS (Not Active Directory, windows server 2012R2).

Now I’ve got all the basics running, but a customer also wants to use it with domain delegations. So I made the delegation, works fine. Then added the DS record for the trust anchor and that works too!

​

Except on the secondary DNS server. All other DNSSEC stuff seems to sync just fine, except for the DS record of the delegated zone. It’s such a special case that I can’t seem to find anything about it on google (and dnssec with windows is pretty uncommon anyway).

Can anyone point me in the right direction?

I also deleted all the cname, A, and AAA, maybe this was a mistake? Seemed like they were all pointing to the domain registrars site.

Hi everyone i was wondering since i’m a green rookie in this, How can i point my domain to an vps hosting in a way the hosting doesn’t know which domain register i use !

For Example will this work ? if i point my godady domain NS to cloud flare then in hosting add the domain to vps hosting package , would that work ?

I’m trying to teach myself to properly implement DNSSEC across a local AD domain, and I keep getting broken trust chain errors. I’d like to fix the trust chain if possible. Any info to help will be appreciated.

Big infodump below.

Initial info:
parent public domain: sglrit.com
child local, and private AD domain: hq.sglrit.com

Trust Anchors on local nameservers:

PS C:techScripts> Get-DnsServerTrustPoint TrustPointName TrustPointState LastActiveRefreshTime NextActiveRefreshTime -------------- --------------- --------------------- --------------------- . Active 2018-12-03 8:25:07 AM 2018-12-04 8:25:07 AM com. Active 2018-12-03 9:42:40 AM 2018-12-03 9:42:40 PM sglrit.com. Active 2018-12-03 9:40:04 AM 2018-12-03 10:40:04 AM hq.sglrit.com. Active 2018-12-03 9:25:07 AM 2018-12-03 10:25:07 AM 

I have activated DNSSEC at my registrar and It checks out as secure.

https://dnssec-analyzer.verisignlabs.com/sglrit.com

I then followed this tutorial to activate DNSSEC on my local AD domain.

https://newhelptech.wordpress.com/2017/07/02/step-by-step-implementing-dns-security-in-windows-server-2016/

I then used powershell to export DS records from my local nameserver and entered the records at my public nameserver

Export-DnsServerDnsSecPublicKey -DigestType Sha256 -ZoneName hq.sglrit.com -Path C:Tech -force 

Next I used DIG to confirm the DS records are live on the parent nameserver.

C:WINDOWSsystem32>dig @ns-cloud-c1.googledomains.com. hq.sglrit.com. DS +dnssec +multi ; <<>> DiG 9.10.6 <<>> @ns-cloud-c1.googledomains.com. hq.sglrit.com. DS +dnssec +multi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48265 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;hq.sglrit.com. IN DS ;; ANSWER SECTION: hq.sglrit.com. 300 IN DS 24284 8 2 ( 2A9CDE75A906BC8D3858FC1B0AB42200F598D996F626 CF42CA875F68F073D005 ) hq.sglrit.com. 300 IN DS 24910 8 2 ( AB60C3B4BC4D4AEC69E63F7DAF0AF4E2BDB46F5EB2CC 1CED83AA7F6EE6600A40 ) hq.sglrit.com. 300 IN RRSIG DS 8 3 300 ( 20181222225627 20181130225627 33054 sglrit.com. jZjIfVJC0cusHh3ipzXKAwxpjz1aoGX5WDWJm3dzOCYA OcvCNbxJ1jgjy7/avzSTjKOZsybYhmG5FYeCm6F+IYMQ BRH3PYGir9NKJeOU9EcKu5pj+G0py/1Q3PNgTfzPS0Fi KWjEhp+IX9krLobeReLQQD8s5B1R5ouRwOhUJ3E= ) ;; Query time: 41 msec ;; SERVER: 216.239.32.108#53(216.239.32.108) ;; WHEN: Mon Dec 03 10:10:21 Eastern Standard Time 2018 ;; MSG SIZE rcvd: 308 

Next I checked a local record with DIG to see if it has a signature.

C:Windowssystem32>dig @10.42.60.7 hq.sglrit.com. A +dnssec ; <<>> DiG 9.12.3 <<>> @10.42.60.7 hq.sglrit.com. A +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22544 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ; COOKIE: 365f2a5dc0aa70f4 (echoed) ;; QUESTION SECTION: ;hq.sglrit.com. IN A ;; ANSWER SECTION: hq.sglrit.com. 600 IN A 10.50.1.4 hq.sglrit.com. 3600 IN A 10.50.1.5 hq.sglrit.com. 600 IN A 10.42.60.7 hq.sglrit.com. 600 IN RRSIG A 8 3 600 20181213014237 20181203004237 17416 hq.sglrit.com. XBlbO+xbnGgmhNBqYS4YI0H/+OWfUpfFbCzQBMUhek9E1XXdQ6lFY8DO JcHR3Q6ErtL7eaazo+nSiu+ihZNCrq9+pRDom6g7PgRyx05eFhmWS3XT r1K34kh27Czq5iObkyQ5Xup9SGnu6xltpTvw39lJvkbfS34oDhR7qVeM Vho= ;; Query time: 0 msec ;; SERVER: 10.42.60.7#53(10.42.60.7) ;; WHEN: Mon Dec 03 10:06:34 Eastern Standard Time 2018 ;; MSG SIZE rcvd: 275 

The DIG command shows an RRSIG, so I see that my local server is signing something, but the DELV command below shows a break in the trust chain that I have no idea how to resolve.

C:Windowssystem32>delv @10.42.60.7 blackbox.hq.sglrit.com. A +vtrace ;; fetch: blackbox.hq.sglrit.com/A ;; validating blackbox.hq.sglrit.com/A: starting ;; validating blackbox.hq.sglrit.com/A: attempting positive response validation ;; fetch: hq.sglrit.com/DNSKEY ;; validating hq.sglrit.com/DNSKEY: starting ;; validating hq.sglrit.com/DNSKEY: attempting positive response validation ;; fetch: hq.sglrit.com/DS ;; chase DS servers resolving 'hq.sglrit.com/DS/IN': 10.42.60.7#53 ;; fetch: sglrit.com/NS ;; validating sglrit.com/NS: starting ;; validating sglrit.com/NS: attempting positive response validation ;; fetch: sglrit.com/DNSKEY ;; validating sglrit.com/DNSKEY: starting ;; validating sglrit.com/DNSKEY: attempting positive response validation ;; fetch: sglrit.com/DS ;; validating sglrit.com/DS: starting ;; validating sglrit.com/DS: attempting positive response validation ;; fetch: com/DNSKEY ;; validating com/DNSKEY: starting ;; validating com/DNSKEY: attempting positive response validation ;; fetch: com/DS ;; validating com/DS: starting ;; validating com/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating com/DS: in fetch_callback_validator ;; validating com/DS: keyset with trust secure ;; validating com/DS: resuming validate ;; validating com/DS: verify rdataset (keyid=2134): success ;; validating com/DS: marking as secure, noqname proof not needed ;; validating com/DNSKEY: in dsfetched ;; validating com/DNSKEY: dsset with trust secure ;; validating com/DNSKEY: verify rdataset (keyid=30909): success ;; validating com/DNSKEY: marking as secure (DS) ;; validating sglrit.com/DS: in fetch_callback_validator ;; validating sglrit.com/DS: keyset with trust secure ;; validating sglrit.com/DS: resuming validate ;; validating sglrit.com/DS: verify rdataset (keyid=37490): success ;; validating sglrit.com/DS: marking as secure, noqname proof not needed ;; validating sglrit.com/DNSKEY: in dsfetched ;; validating sglrit.com/DNSKEY: dsset with trust secure ;; validating sglrit.com/DNSKEY: verify rdataset (keyid=11906): success ;; validating sglrit.com/DNSKEY: marking as secure (DS) ;; validating sglrit.com/NS: in fetch_callback_validator ;; validating sglrit.com/NS: keyset with trust secure ;; validating sglrit.com/NS: resuming validate ;; validating sglrit.com/NS: verify rdataset (keyid=33054): success ;; validating sglrit.com/NS: marking as secure, noqname proof not needed ;; validating hq.sglrit.com/DNSKEY: in dsfetched ;; validating hq.sglrit.com/DNSKEY: falling back to insecurity proof (SERVFAIL) ;; validating hq.sglrit.com/DNSKEY: checking existence of DS at 'com' ;; validating hq.sglrit.com/DNSKEY: checking existence of DS at 'sglrit.com' ;; validating hq.sglrit.com/DNSKEY: checking existence of DS at 'hq.sglrit.com' ;; fetch: hq.sglrit.com/DS ;; chase DS servers resolving 'hq.sglrit.com/DS/IN': 10.42.60.7#53 ;; fetch: sglrit.com/NS ;; validating sglrit.com/NS: starting ;; validating sglrit.com/NS: attempting positive response validation ;; validating sglrit.com/NS: keyset with trust secure ;; validating sglrit.com/NS: verify rdataset (keyid=33054): success ;; validating sglrit.com/NS: marking as secure, noqname proof not needed ;; validating hq.sglrit.com/DNSKEY: in dsfetched2: SERVFAIL ;; no valid DS resolving 'hq.sglrit.com/DNSKEY/IN': 10.42.60.7#53 ;; validating blackbox.hq.sglrit.com/A: in fetch_callback_validator ;; validating blackbox.hq.sglrit.com/A: fetch_callback_validator: got SERVFAIL ;; broken trust chain resolving 'blackbox.hq.sglrit.com/A/IN': 10.42.60.7#53 ;; resolution failed: broken trust chain 

Is this as good as it gets on a private domain? or is there something I can do to get proper validation from local AD up to root domain?