DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA25

JoshData · June 26, 2021, 1:13pm

Interesting. That’s for the DNSKEY record type. With Mail-in-a-Box, the Mail-in-a-Box (not the registrar) creates the DNSKEY records, so this field should not be used to set up DS records at the registrar.

mveplus · June 28, 2021, 10:29pm

Hi mskendrick,

I did notice the same thing after the upgrade to v0.54 and did upgrade the DNSSEC keys at the registrar ( GoDaddy in my case ). All went fine for TLDs: .net, .co.uk, .me, and all validated during the checks.
But for TLD .pro the registrar or I guess the root servers? does not support Option 1&2 (Algorithm: 13 / ECDSAP256SHA256 ).
So I did update with the next available one - Option 3 Algorithm: 8 / RSASHA256 with Digest Type: 2 / SHA-256 and it does pass the validation fine here and locally with dig as well, but MIAB still does not seem to like it when it does run the “System Status Checks” and prompts for an update…huh

? DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).

I’ll ignore it for now, as I know it’s valid, but this “advisory” it’s just drive me nuts

Cheers,

markand · June 29, 2021, 10:38am

I use Epik as my registrar and their DNSSEC UI had no way to properly configure any of the options. I uploaded the entire miab message with all options to support and they changed it. It worked!

LAVenetz · June 30, 2021, 9:38am

@markand Thanks, I’ll try to transfer to Epik.

latinhypercube · June 30, 2021, 11:47am

Just to let folks know that I updated my DNSSEC protocols with Gandi.net and it was very straightforward. The Gandi user interface is very easy to use. Selecting the correct protocol is very easy.

One thing to note. I believe that you should add the new records and check they work (by looking at the MIAB admin panel) before deleting the old records.

It took only a few minutes for the records to update when set at Gandi. The whole process for 6 domains took only about 15 minutes in total; I updated and checked them one at a time starting with my less critical domains.

openletter · June 30, 2021, 1:11pm

Also Namecheap and NameSilo are both very easy to use.

There is an RFC somewhere that outlines how to migrate DNSSEC DNSKEY/DS “RRsets”, and it includes not deleting the old RRset before verifying the new RRset works.

never · July 1, 2021, 10:24am

+1 for Namecheap.

(If you’re looking Namecheap - I’ll take a free renewal - thanks! )

LAVenetz · July 15, 2021, 9:01am

What is worth waiting for my domain’s DNSSEC ‘DS’ record. After I submitted a non-binding request to configure the DNSSEC ‘DS’ record, my registrar (whois.com) finally succeeded. I urged them to please take notes so that it doesn’t happen again in the next incident. (It took about more than three (3) weeks!)

system · August 24, 2021, 9:02am

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.