Re: Domain no longer fully secure after move

2022-12-16 Thread Sandro 

On 16-12-2022 10:26, Ondřej Surý wrote:

some registrars or registries strip the DS record when you move between 
registrars.
I don't know if this is the case with .nl, but I just know that it might happen.


It sure was stripped. Before I provided the details for the DS entry 
myself, since I also signed the zone myself.


I would have expected the new registrar to take care of the DS record, 
since they are now the party signing the zone.


-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain no longer fully secure after move

2022-12-16 Thread Ondřej Surý 
> On 16. 12. 2022, at 9:25, Sandro  wrote:
> 
> The missing DS record in the .nl domain is all that's wrong. That breaks the 
> chain of validation, therefore showing all penguinpee.nl 
>  entries as insecure.

Hi,

some registrars or registries strip the DS record when you move between 
registrars.
I don't know if this is the case with .nl, but I just know that it might happen.

Cheers,
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain no longer fully secure after move

2022-12-16 Thread Sandro 

On 14-12-2022 19:13, Sandro wrote:

I recently (last weekend) moved the domain to a new registrar. The keys
are now managed by the registrar directly. At least I don't see an
option providing my own or additional keys in their web interface.

Moreover, I'm no longer running my own DNS server. 
Previously, I could set my own BIND server as a primary server for my
domain and have the registrar use AXFR to update the secondaries.

The DNSViz analysis for the current situation:
https://dnsviz.net/d/penguinpee.nl/Y5oJSw/dnssec/

And from before the move:
https://dnsviz.net/d/penguinpee.nl/Yq3P8w/dnssec/

Verisign has one single complaint: No DS records found for penguinpee.nl
in the nl zone.


Answering my own mail, by way of slapping my palm on my forehead.

The missing DS record in the .nl domain is all that's wrong. That breaks 
the chain of validation, therefore showing all penguinpee.nl entries as 
insecure.


I got confused earlier, since the RRs in penguinpee.nl are actually 
signed. But it's the validation that breaks due to the missing DS 
record. End of year fatigue...


-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Domain no longer fully secure after move

2022-12-14 Thread Sandro 

Hi,

I'm trying to understand what exactly is wrong with DNSSEC for my 
domain, penguinpee.nl, before contacting involved parties.


I recently (last weekend) moved the domain to a new registrar. The keys 
are now managed by the registrar directly. At least I don't see an 
option providing my own or additional keys in their web interface.


Moreover, I'm no longer running my own DNS server. :(
Previously, I could set my own BIND server as a primary server for my 
domain and have the registrar use AXFR to update the secondaries.


The DNSViz analysis for the current situation:
https://dnsviz.net/d/penguinpee.nl/Y5oJSw/dnssec/

And from before the move:
https://dnsviz.net/d/penguinpee.nl/Yq3P8w/dnssec/

Verisign has one single complaint: No DS records found for penguinpee.nl 
in the nl zone.


IIUC, the details for the DS record have to be provided by my new 
registrar, so SIDN can add them.


-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users