[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?

Sun, 30 Apr 2023 23:38:26 -0700 

G'day Franco,


To the partners at least, in October 2022 informing them that
anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer 
supported and will be deleted. This was done last week and digest-type 2 and 
key algorithm should be used.
Since end of January 2023 you could not use them anymore.

cheers

Marcus



Monday, May 1, 2023, 12:55:56 AM, you wrote:

>> Hey SWINOGgers,

>> I noticed that DNSSEC was somehow auto-disabled at registry level for some 
>> .ch domains I am responsible for.
>> For these domains, no DS records are published anymore in the .ch zone, 
>> dnsviz shows a broken chain of trust.
>> However, registrar data still shows that DNSSEC is enabled, but the registry 
>> (SWITCH) says it is not...
>> Is this a known problem?

>> Seems not all DNSSEC protected .ch domains are affected, which leads me to 
>> the suspicion that it might have
>> to do with the algorithm being used.

>> Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did 
>> I miss an announcement?

>> Random example, e.g. gkb.ch (notably a bank...)

>>> dig +short @dns1.inventx.ch gkb.ch dnskey
>>> 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ 
>>> VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ 
>>> KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55
>>> 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 
>>> KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B 
>>> NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz 
>>> E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm 
>>> gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ 
>>> Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=
>>> 
>>> dig +short @a.nic.ch gkb.ch ds
>>> 
>>> -> no DS record

>> Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):

>>> dig +short @ns2.switch.ch switch.ch dnskey
>>> 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 
>>> 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ==
>>> 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf 
>>> B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A==
>>> 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w 
>>> Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==
>>> 
>>> dig +short @a.nic.ch switch.ch ds
>>> 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C

>> Could anybody shed some light on this?

>> Thx & Gruass, Franco
>> _______________________________________________
>> swinog mailing list -- swinog@lists.swinog.ch
>> To unsubscribe send an email to swinog-le...@lists.swinog.ch






-- 
---------------------------------------------------
              Klingon Embassy Runners
         http://klingon-embassy-runner.im
   *********************************************
              Klingon Embassy:
        http://www.klingon-embassy.co.za
---------------------------------------------------
-----------------------------------------------------


_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

Antwort per Email an