Hi all,
Thanks for your replies, you basically backed my work assumption concerning deprecated algorithms, good to know.
However, this raises some questions about the chosen proceeding of "just wiping" algo 5/7 and digest 1 DS records from the .ch zone...
Affected domain holders should and could have been informed (by whoever...), I am pretty sure there are more affected .ch/.li domains out there, with its domain holders not being aware that their DNSSEC protection is currently turned off. Didn't have this problem with other tld's so far.
Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use.
Marcus Jaeger wrote:
To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm 13 should be used.
Well, as an end user I am not a "partner" in the sense of the registry/registrar agreement, so I never received any communication about this proceeding.
Who would be liable and paying for a possible damage? Where damage in the best case would be junked or non deliverable emails, services not working as expected, additional admin work (you/me), etc.
I guess either the registry (SWITCH) for "just doing this", or the registrars for not passing on this information to their customers... This would be a funny law suit... ;-)
Since end of January 2023 you could not use them anymore.
Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains.
John Howard wrote:
Not sure if/how it relates to this situation, but it’s notable that the DNSSEC key signing ceremony was a couple of days ago?
https://www.iana.org/dnssec/ceremonies/49
I don’t see any deprecations but maybe someone needs an update somewhere?
Probably unrelated coincidence, but thanks for sharing, interesting 3.5h ceremony, didn't watch it in full though... ;-)
Jeroen Massar wrote:
Alg 7 is ancient and deprecated...
Technically, agreed. I am bearing this in my head since months or even years that I should "eventually" change this. Eventually now changed to immediately... Administratively, there is a slight difference between ancient/deprecated and disabled/forbidden. Reminds me of RFC-2119 (MAY, MUST, MUST NOT, etc). Rhetoric question, what is better: a domain signed with a deprecated algorithm, or a non-signed domain from which the holder thinks it is signed?
Benoît Panizzon wrote:
Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
Since DNSSEC was disabled, I guess you can't do a key rollover. Just start over...
I wonder why my registrar never noticed me he would delete my DS records disabling DNSSEC on my domains.
I guess it was the registry that wiped the DS records, not your registrar. At least my registrar's GUI still showed a nice all-green DNSSEC overview with the wiped DS records still in place...
Thanks & have a nice and secure week ;-)
Gruass, Franco
On 01.05.23 11:50, Marcus J via swinog wrote:
G'day
just saw something was missing in my reply. It should say : digest-type 2 and key algorithm 13 should be used.
cheers
Marcus
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch