[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Hi Daniel > The nerd answer is that you can use Automated DNSSEC Provisioning [1] > to enable DNSSEC. This also sends an EPP poll message to your > registrar to update locally cached state information about a domain > name. Yes, trying to understand, how I correctly get rid of my old RRSIG entries without shooting myself in the foot, I came across this whole new dnssec-policy and automatic publishing CDS records via Bind. Not sure if I have yet fully understood the mechanics. But I have tentatively set it up now and I'll see, if this somehow, by the magic of the internet, caused my DS entries to get refreshed. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Thanks Daniel for your helpful answers. Yes, CDS is also something I always wanted to try, but as usual: no hard pressure, no time... ;-) Benoît Panizzon wrote: > From their point of view, my 'algo 5' .ch domains have still DNSSEC active Basically the same behavior I had with my 'algo 7' domains (infomaniak). > but deleting DS or disabling DNSSEC hangs forever and upon reloading my old > algo 5 keys are back. I did not even try to delete/disable DNSSEC, I was just able to update the existing record (key/algo/hash). Then the update towards the registry was carried out immediately, seems the old values do not matter then. Cannot tell whether that works with Gandi though. Maybe option #3 besides the nerd and normal answers and worth a try? Gruass, Franco On 01.05.23 17:11, Benoît Panizzon via swinog wrote: > Hi Daniel > >> The nerd answer is that you can use Automated DNSSEC Provisioning [1] >> to enable DNSSEC. This also sends an EPP poll message to your >> registrar to update locally cached state information about a domain >> name. > > Yes, trying to understand, how I correctly get rid of my old RRSIG > entries without shooting myself in the foot, I came across this whole > new dnssec-policy and automatic publishing CDS records via Bind. > > Not sure if I have yet fully understood the mechanics. But I have > tentatively set it up now and I'll see, if this somehow, by the magic > of the internet, caused my DS entries to get refreshed. > ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
On 01.05.23 15:48, Benoît Panizzon via swinog wrote: It looks like Gandi at least messed up their Registrar UI. From their point of view, my 'algo 5' .ch domains have still DNSSEC active but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back. I guess they perform some API calls to Switch and this fails, because both disagree on the DNSSEC status? The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name. See also chapter 6.1 in our Automated DNSSEC Provisioning Guidelines [2]. I don't know if EPP poll messages have been used in the algo 5/7 removal procedure or if registrars received a list of affected domains and were instructed to refresh locally cached state. If the former and the domain state is still wrong then the registrar is not processing EPP poll messages. The normal answer is that you should contact the registrar and ask him to refresh the domain. Daniel [1] https://www.nic.ch/de/security/cds/ [2] https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
G'day just saw something was missing in my reply. It should say : digest-type 2 and key algorithm 13 should be used. cheers Marcus Monday, May 1, 2023, 11:32:30 AM, you wrote: > Darn, thank you for the hint! I'm also affected and missed the phase out > of those algos. > Guess I have to read: > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html > I wonder why my registrar never noticed me he would delete my DS > records disabling DNSSEC on my domains. ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Hi all, Thanks for your replies, you basically backed my work assumption concerning deprecated algorithms, good to know. However, this raises some questions about the chosen proceeding of "just wiping" algo 5/7 and digest 1 DS records from the .ch zone... Affected domain holders should and could have been informed (by whoever...), I am pretty sure there are more affected .ch/.li domains out there, with its domain holders not being aware that their DNSSEC protection is currently turned off. Didn't have this problem with other tld's so far. Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use. Marcus Jaeger wrote: > To the partners at least, in October 2022 informing them that anything > containing digest-type 1 and/or key algorithm 5 oder 7 are no longer > supported and will be deleted. > This was done last week and digest-type 2 and key algorithm 13 should be used. Well, as an end user I am not a "partner" in the sense of the registry/registrar agreement, so I never received any communication about this proceeding. Who would be liable and paying for a possible damage? Where damage in the best case would be junked or non deliverable emails, services not working as expected, additional admin work (you/me), etc. I guess either the registry (SWITCH) for "just doing this", or the registrars for not passing on this information to their customers... This would be a funny law suit... ;-) > Since end of January 2023 you could not use them anymore. Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains. John Howard wrote: > Not sure if/how it relates to this situation, but it’s notable that the > DNSSEC key signing ceremony was a couple of days ago? > > https://www.iana.org/dnssec/ceremonies/49 > > I don’t see any deprecations but maybe someone needs an update somewhere? Probably unrelated coincidence, but thanks for sharing, interesting 3.5h ceremony, didn't watch it in full though... ;-) Jeroen Massar wrote: > Alg 7 is ancient and deprecated... Technically, agreed. I am bearing this in my head since months or even years that I should "eventually" change this. Eventually now changed to immediately... Administratively, there is a slight difference between ancient/deprecated and disabled/forbidden. Reminds me of RFC-2119 (MAY, MUST, MUST NOT, etc). Rhetoric question, what is better: a domain signed with a deprecated algorithm, or a non-signed domain from which the holder thinks it is signed? Benoît Panizzon wrote: > Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html Since DNSSEC was disabled, I guess you can't do a key rollover. Just start over... > I wonder why my registrar never noticed me he would delete my DS records > disabling DNSSEC on my domains. I guess it was the registry that wiped the DS records, not your registrar. At least my registrar's GUI still showed a nice all-green DNSSEC overview with the wiped DS records still in place... Thanks & have a nice and secure week ;-) Gruass, Franco On 01.05.23 11:50, Marcus J via swinog wrote: > G'day > > just saw something was missing in my reply. > It should say : digest-type 2 and key algorithm 13 should be used. > > cheers > > Marcus > > ___ > swinog mailing list -- swinog@lists.swinog.ch > To unsubscribe send an email to swinog-le...@lists.swinog.ch ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Alg 7 is ancient and deprecated... When one has DNS issues, especially DNSSEC related, run dnsviz: https://dnsviz.net/d/gkb.ch/ZDeung/dnssec/ as that will show you what is off: ``` • gkb.ch zone: The server(s) were not responsive to queries over UDP. (2001:67c:2350:11::bad:babe) • gkb.ch/A: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) • gkb.ch/NS: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) ``` ``` • RRSIG gkb.ch/A alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/A alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). ``` Greets, Jeroen ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Hey > To the partners at least, in October 2022 informing them that > anything containing digest-type 1 and/or key algorithm 5 oder 7 are > no longer supported and will be deleted. This was done last week and > digest-type 2 and key algorithm should be used. Since end of January > 2023 you could not use them anymore. Darn, thank you for the hint! I'm also affected and missed the phase out of those algos. Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html I wonder why my registrar never noticed me he would delete my DS records disabling DNSSEC on my domains. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Some update It looks like Gandi at least messed up their Registrar UI. From their point of view, my 'algo 5' .ch domains have still DNSSEC active but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back. I guess they perform some API calls to Switch and this fails, because both disagree on the DNSSEC status? -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
G'day Franco, To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm should be used. Since end of January 2023 you could not use them anymore. cheers Marcus Monday, May 1, 2023, 12:55:56 AM, you wrote: >> Hey SWINOGgers, >> I noticed that DNSSEC was somehow auto-disabled at registry level for some >> .ch domains I am responsible for. >> For these domains, no DS records are published anymore in the .ch zone, >> dnsviz shows a broken chain of trust. >> However, registrar data still shows that DNSSEC is enabled, but the registry >> (SWITCH) says it is not... >> Is this a known problem? >> Seems not all DNSSEC protected .ch domains are affected, which leads me to >> the suspicion that it might have >> to do with the algorithm being used. >> Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did >> I miss an announcement? >> Random example, e.g. gkb.ch (notably a bank...) >>> dig +short @dns1.inventx.ch gkb.ch dnskey >>> 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ >>> VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ >>> KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 >>> 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 >>> KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B >>> NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz >>> E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm >>> gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ >>> Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= >>> >>> dig +short @a.nic.ch gkb.ch ds >>> >>> -> no DS record >> Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): >>> dig +short @ns2.switch.ch switch.ch dnskey >>> 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J >>> 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== >>> 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf >>> B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== >>> 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w >>> Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== >>> >>> dig +short @a.nic.ch switch.ch ds >>> 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C >> Could anybody shed some light on this? >> Thx & Gruass, Franco >> ___ >> swinog mailing list -- swinog@lists.swinog.ch >> To unsubscribe send an email to swinog-le...@lists.swinog.ch -- --- Klingon Embassy Runners http://klingon-embassy-runner.im * Klingon Embassy: http://www.klingon-embassy.co.za --- - ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Not sure if/how it relates to this situation, but it’s notable that the DNSSEC key signing ceremony was a couple of days ago? https://www.iana.org/dnssec/ceremonies/49 I don’t see any deprecations but maybe someone needs an update somewhere? BR John ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
I wasn't a part of this procedure so I cannot answer anything related to that. I can, however, respond to questions for which we make information available online. If you want specific information about the procedure I suggest you ask your registrar or you can contact SWITCH at regis...@nic.ch. On 01.05.23 14:12, Franco Hug via swinog wrote: Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use. You can find the DNSSEC algorithm break down for the end of 2022 for .ch on slide 21: https://www.nic.ch/export/shared/.content/files/SWITCH_Report_Registry_2022.pdf DNSSEC algorithm Number Percentage 5 – RSASHA1 45 0.00% 7 – RSASHA1-NSEC3-SHA1 607 0.05% 8 – RSASHA256 97,098 8.96% 10 – RSASHA512 67 0.01% 13 – ECDSAP256SHA256 1,018,855 91.22% 14 – ECDSAP384SHA384 139 0.01% 15 – ED25519 61 0.01% 16 – ED448 14 0.00% Older reports are published at: https://www.nic.ch/about/ Since end of January 2023 you could not use them anymore. Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains. Same PDF has some information on slide 15 which basically states: * Nov 2022, you can not introduce algo 5 or 7 for a previously unsigned domain * Jan 2023, you can not roll your algo 5 or 7 unless to a more modern algorithm Cheers, Daniel ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] DNSSEC auto-disabled by SWITCH on some .ch domains?
Hey SWINOGgers, I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem? Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used. Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement? Random example, e.g. gkb.ch (notably a bank...) > dig +short @dns1.inventx.ch gkb.ch dnskey > 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ > VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ > KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 > 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 > KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B > NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz > E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm > gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ > Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= > > dig +short @a.nic.ch gkb.ch ds > > -> no DS record Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): > dig +short @ns2.switch.ch switch.ch dnskey > 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J > 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== > 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf > B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== > 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w > Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== > > dig +short @a.nic.ch switch.ch ds > 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C Could anybody shed some light on this? Thx & Gruass, Franco ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch