G'day Franco,
To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm should be used. Since end of January 2023 you could not use them anymore. cheers Marcus Monday, May 1, 2023, 12:55:56 AM, you wrote: >> Hey SWINOGgers, >> I noticed that DNSSEC was somehow auto-disabled at registry level for some >> .ch domains I am responsible for. >> For these domains, no DS records are published anymore in the .ch zone, >> dnsviz shows a broken chain of trust. >> However, registrar data still shows that DNSSEC is enabled, but the registry >> (SWITCH) says it is not... >> Is this a known problem? >> Seems not all DNSSEC protected .ch domains are affected, which leads me to >> the suspicion that it might have >> to do with the algorithm being used. >> Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did >> I miss an announcement? >> Random example, e.g. gkb.ch (notably a bank...) >>> dig +short @dns1.inventx.ch gkb.ch dnskey >>> 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ >>> VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ >>> KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 >>> 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 >>> KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B >>> NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz >>> E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm >>> gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ >>> Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= >>> >>> dig +short @a.nic.ch gkb.ch ds >>> >>> -> no DS record >> Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): >>> dig +short @ns2.switch.ch switch.ch dnskey >>> 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J >>> 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== >>> 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf >>> B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== >>> 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w >>> Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== >>> >>> dig +short @a.nic.ch switch.ch ds >>> 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C >> Could anybody shed some light on this? >> Thx & Gruass, Franco >> _______________________________________________ >> swinog mailing list -- swinog@lists.swinog.ch >> To unsubscribe send an email to swinog-le...@lists.swinog.ch -- --------------------------------------------------- Klingon Embassy Runners http://klingon-embassy-runner.im ********************************************* Klingon Embassy: http://www.klingon-embassy.co.za --------------------------------------------------- ----------------------------------------------------- _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch