Hey SWINOGgers, I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem?
Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used. Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement? Random example, e.g. gkb.ch (notably a bank...) > dig +short @dns1.inventx.ch gkb.ch dnskey > 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ > VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ > KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 > 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 > KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B > NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz > E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm > gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ > Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= > > dig +short @a.nic.ch gkb.ch ds > > -> no DS record Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): > dig +short @ns2.switch.ch switch.ch dnskey > 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J > 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== > 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf > B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== > 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w > Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== > > dig +short @a.nic.ch switch.ch ds > 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C Could anybody shed some light on this? Thx & Gruass, Franco _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
