Enabling DNSSEC for a Sub-Domain created as a full domain in DirectAdmin

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » DNS » DNSSEC

Enabling DNSSEC for a Sub-Domain created as a full domain in DirectAdminLast Modified: Oct 17, 2018, 5:25 pm
Note: DirectAdmin 1.51.0+ support the automated adding of the DS records over to the parent zone, enabled by default:

As well as for Multi-Server Setup combinations where the parent zone is on a remote MSS server with DirectAdmin 1.54.0+, enabled by default:

Feel free to step through the steps below to confirm that the above functions worked correctly.

This example assumes you've already enabled DNSSEC on one of your domains.


  1. You have DNSSEC signed domain:
  2. You also have a subdomain: .jbmc-software.com created as a "full" domain with it's own zone.
For this example, because subtest.jbmc-software.com has it's own zone file, fully separate from jbmc-software.com, we must also sign the subdomain, and transfer it's DS records up the chain of trust.


  1. Sign the jbmc-software.com domain normally, as per the normal DNSSEC guide
  2. Sign the subtest.jbmc-software.com zone in the same manner.
  3. Go to the subtest.jbmc-software.com zone, and take the 2 DS records from the bottom of the zone, and paste them into the main jbmc-software.com zone:
    • DNS Admin -> jbmc-software.com
    • Add Domain Records
    • Add DS record:

      subtest  DS    1234 5 1 1234...

      Do this for both DS records.
  4. Still in the jbmc-software.com zone, delegate the NS records to the subtest zone.  To do this, add 2 new NS records

    subtest   NS    ns1.jbmc-software.com.

    and the same for ns2.  Use the same ns1/ns2 values where the subtest.jbmc-software.com zone lives.  For most cases, this will be on the same server, so use the same ns1/ns2 records as for jbmc-software.com.  But you are allows to have the subtest.jbmc-software.com zone live on some other dns server, so just enter the ns1/ns2 as needed.


The signging of the jbmc-software.com zone will fail when the DS records for subtest exist in jbmc-software.com, but the NS records for subtest are not explicitly set in the jbmc-software.com zone.  This error would look like:

dnssec-signzone: fatal: 'subtest.jbmc-software.com': found DS RRset without NS RRset

Related Helpfiles
Enabling DNSSSEC on your DirectAdmin server

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST