Enabling DNSSEC on a parent zone does not automatically break resolution for unsigned child zones. DNSSEC validation behavior depends on whether DS records for the child zone exist at the parent level.
This article explains how unsigned child zones behave when a parent zone is DNSSEC enabled and what conditions can cause resolution to fail.
Behavior When No DS Records Exist for the Child Zone
If DNSSEC is enabled on the parent zone and no DS records exist for the child zone at the parent, the child zone will continue to resolve normally.
In this scenario, DNSSEC validation stops at the parent zone. The child zone is treated as insecure, and responses from the child zone will not include the AD (Authenticated Data) flag.
Behavior When DS Records Exist for the Child Zone
If DS records for the child zone are present at the parent zone, DNSSEC validation is extended to the child zone. In this case, the child zone must also be DNSSEC signed.
If the child zone is not signed while DS records exist at the parent, DNS resolution for the child zone will fail because the DNSSEC chain of trust cannot be completed.
Why This Matters
DNSSEC relies on a complete and valid chain of trust from the parent zone to the child zone. Publishing DS records signals to resolvers that the child zone is expected to be signed.
If that expectation is not met, validation errors occur and responses are rejected by validating resolvers.
Recommended Practices
- Do not publish DS records for a child zone unless the child zone is DNSSEC signed.
- Unsigned child zones can exist under a DNSSEC-signed parent as long as no DS records are present.
- Coordinate DNSSEC enablement carefully when delegating or migrating child zones.