Hey SWINOGgers,
I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem?
Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used.
Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement?
Random example, e.g. gkb.ch (notably a bank...)
dig +short @dns1.inventx.ch gkb.ch dnskey 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=
dig +short @a.nic.ch gkb.ch ds
-> no DS record
Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):
dig +short @ns2.switch.ch switch.ch dnskey 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==
dig +short @a.nic.ch switch.ch ds 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C
Could anybody shed some light on this?
Thx & Gruass, Franco
Not sure if/how it relates to this situation, but it’s notable that the DNSSEC key signing ceremony was a couple of days ago?
https://www.iana.org/dnssec/ceremonies/49
I don’t see any deprecations but maybe someone needs an update somewhere?
BR John
Alg 7 is ancient and deprecated...
When one has DNS issues, especially DNSSEC related, run dnsviz:
https://dnsviz.net/d/gkb.ch/ZDeung/dnssec/
as that will show you what is off:
``` • gkb.ch zone: The server(s) were not responsive to queries over UDP. (2001:67c:2350:11::bad:babe) • gkb.ch/A: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) • gkb.ch/NS: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) ```
``` • RRSIG gkb.ch/A alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/A alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). ```
Greets, Jeroen
-
Franco Hug -
Jeroen Massar -
John Howard