[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?

Sun, 30 Apr 2023 23:41:58 -0700 

Alg 7 is ancient and deprecated...

When one has DNS issues, especially DNSSEC related, run dnsviz:

https://dnsviz.net/d/gkb.ch/ZDeung/dnssec/

as that will show you what is off:

```
    • gkb.ch zone: The server(s) were not responsive to queries over UDP. 
(2001:67c:2350:11::bad:babe)
    • gkb.ch/A: No response was received from the server over UDP (tried 12 
times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_)
    • gkb.ch/NS: No response was received from the server over UDP (tried 12 
times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_)
```

```
    • RRSIG gkb.ch/A alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/A alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/DNSKEY alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/DNSKEY alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/MX alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/MX alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/NS alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/NS alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/NSEC3PARAM alg 7, id 42122: DNSSEC specification recommends 
not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/NSEC3PARAM alg 7, id 52259: DNSSEC specification recommends 
not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/SOA alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/SOA alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/TXT alg 7, id 42122: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
    • RRSIG gkb.ch/TXT alg 7, id 52259: DNSSEC specification recommends not 
signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
```

Greets,
 Jeroen

_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

Antwort per Email an