DNSSEC setup on a brand new box (no external DNS)

Help with Setup
#1

Hi,

I’ve installed a MIAB instance and it works very well.
I’ve used the install guide with the box serving the DNS
One thing I’m confused about: in the system checks I have this
“This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS record, you must follow the instructions provided by your domain name registrar and provide to them this information: --tech info–”

I’ve contacted my registrar but they’re confused since they’re not serving the zone, the box is.
They suggest that I deal directly with the AFNIC, the TLD owner for ‘.fr’

I’ve already waited for a few days in case it was a propagation problem.
I’ve also rebooted the box in case it was some setting not activated.
The latest update applied yesterday did not change things either…

Am I missing something?
Since the zone is serverd by the box, I would assume that DNSSEC setup does not involve my registrar?

And thanks for this great project

#2

Might I ask who is your domain registrar?

Actually, THEY are missing something. The registrar must publish the information provided, so that the authenticity of your name servers can be confirmed.

From ICANN:
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

image
image761×147 24.1 KB

#3

Hi!
The registrar is Ikoula.com
They do have an DNSSEC interface but I can’t add the information provided by the box
When I contacted them, they got really confused and ended up saying that since I’m serving the zone myself using the box I should contact the AFNIC directly

I’ll contact them with the ICANN information you’ve provided me, maybe this will clear things up for them. I’ll keep you posted.

#4

One thing to remember that I just remembered myself is that not all registrars provide DNSSEC, so that may be the case here.

Here is the afnic page on the subject.

https://www.afnic.fr/en/products-and-services/services/dnssec-20.html

1 Like
#5

I would contact ikoula again and politely ask for someone that already knows about DNSSEC, as my best guess is that the agent who handled your ticket may well have never heard of this before you asked the question.

Given that ikoula advertises owning their own datacenter, there must be someone there who understands that the DNSSEC records, even for customers with their own servers, are set by the domain registrar, not the tld registrar (my understanding is you never communicate with companies like AFNIC unless you own a registrar or IP address space or other similar insfrastructure).

Some registrars do not have a place in their interface for DNSSEC keys to be entered by the users. This is likely because so few customers ask for it, that it is easier to just do by hand through a support ticket than to build an interface.

I don’t know this is true for ikoula, but I would press the issue with them. If they have invested in the infrastructure of their own datacenter, it’s hard for me to believe they don’t have a way to support DNSSEC for domain registration customers.

However, in the event you cannot discover anyone at ikoula who seems to be able to answer your questions and set up DNSSEC on their servers, you may consider moving to a different registrar, such as Gandi.

1 Like
#6

So I’ve contacted them again and your guess was correct, I got handled by another agent.
It’s like you said, their UI doesn’t allow keys to be entered and for cases like mine, they do it by hand
The agent asked me for the setup again and said he would deal with AFNIC
I’ve copy/pasted the config given by the box in the Status Check page and now I’m waiting on the agent.
So far so good, I’ll keep you posted

1 Like
#7

Just a thought to keep in mind in the future as invariably this will come up.

IF you ever move your MiaB installation to a different VPS (including migration from Ubuntu 18 to Ubuntu 22 when that time comes in 3 years) you will need to turn DNSSEC off. Since you are at the mercy of ikoula to manually deal with afnic, you’ll want to remember this and contact them a few days before you make any drastic change to your underlying VPS.

IMHO, it may be worth considering transferring the domain to a registrar which handles the DNSSEC in house online. The first that comes to mind is Gandi though I am certain that there are dozens of choices.

#8

OK they’ve sent the config to the AFNIC
Now I guess I just have to wait for things to be done; hope it will work. I’ll give news on this as soon as I have them

And yes, you’re right maybe I should reflect on this lack of flexibility

1 Like
#9

Since yesterday the DNSSEC configuration is OK
So not a really flexible procedure for sure but I got there in the end.
Thanks a lot for your help & advices!

1 Like
#10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.