[arin-tech-discuss] DNSSEC Signing of reverse domains - fails with Algorithm 13

Thu, 05 Mar 2020 10:33:24 -0800 

Hi,
Just joined the list and I've searched back 12 month and see no similar topic. 


I've been DNSSEC Signing my domains for several years - probably as I 
was teaching others how to do that.

This includes my Reverse DNS too.
I am in the AFRINIC Region.
I have some Legacy IPv4 address space - originally from ARIN.
192.96.24.0 - 192.96.24.31 (and others)


About six months ago - I started the process of changing everything from 
Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA Curve P-256 with 
SHA-256). From my point of view, everything has been working completely 
automatically - except for the Reverse DNS - where I have to go to 
"my.afrinic.net" and manually update DS Records (there is no automation 
for this at AFRINIC).


Please look at 24.96.192.in-addr.arpa. and 25.96.192.in-addr.arpa.
24 is no longer signed (because of this problem), 25 is signed (algo 13)


The Parent for the legacy block 24.96.192.in-addr.arpa is 
192.in-addr.arpa - who's nameservers include z.arin.net.


In that zone file - there is a DS record for 25.96.192.in-addr.arpa:-


25.96.192.in-addr.arpa.    86289    IN    DS    36223 13 2 
5DA9B9AC1C9D9C72434BEC68E9C5CF36A10FA480E6551CC9F2538745 4932E14E
(This is the correct DS record - you can ask for the CDS for this from 
control.vweb.co.za)


...but asking a DNSSEC aware recursive resolver gives....SERVFAIL.

 dig @1.1.1.1 25.96.192.in-addr.arpa ns

; <<>> DiG 9.14.8 <<>> @1.1.1.1 25.96.192.in-addr.arpa ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...

This worked perfectly with Algorithm 8, before I moved to Algorithm 13.

*When will the DNS system at ARIN support Algorithm 13?*

My IPv6 Reverse DNS signed with DNSSEC works perfectly with Algorithm 13.

$ dig -x  2001:42a0::1 @1.1.1.1 +dnssec +multiline
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 
7200 IN PTR control.vweb.co.za.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 
7200 IN RRSIG    PTR 13 34 7200 (...



--

Mark James ELKINS  -  Posix Systems - (South) Africa
[email protected]       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins


_______________________________________________
arin-tech-discuss mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-tech-discuss






















					Reply via email to