G'day Franco,
To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm should be used. Since end of January 2023 you could not use them anymore.
cheers
Marcus
Monday, May 1, 2023, 12:55:56 AM, you wrote:
Hey SWINOGgers,
I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem?
Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used.
Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement?
Random example, e.g. gkb.ch (notably a bank...)
dig +short @dns1.inventx.ch gkb.ch dnskey 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=
dig +short @a.nic.ch gkb.ch ds
-> no DS record
Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):
dig +short @ns2.switch.ch switch.ch dnskey 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==
dig +short @a.nic.ch switch.ch ds 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C
Could anybody shed some light on this?
Thx & Gruass, Franco _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
Hey
To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm should be used. Since end of January 2023 you could not use them anymore.
Darn, thank you for the hint! I'm also affected and missed the phase out of those algos.
Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
I wonder why my registrar never noticed me he would delete my DS records disabling DNSSEC on my domains.
G'day
just saw something was missing in my reply. It should say : digest-type 2 and key algorithm 13 should be used.
cheers
Marcus
Monday, May 1, 2023, 11:32:30 AM, you wrote:
Darn, thank you for the hint! I'm also affected and missed the phase out of those algos.
Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
I wonder why my registrar never noticed me he would delete my DS records disabling DNSSEC on my domains.
Hi all,
Thanks for your replies, you basically backed my work assumption concerning deprecated algorithms, good to know.
However, this raises some questions about the chosen proceeding of "just wiping" algo 5/7 and digest 1 DS records from the .ch zone...
Affected domain holders should and could have been informed (by whoever...), I am pretty sure there are more affected .ch/.li domains out there, with its domain holders not being aware that their DNSSEC protection is currently turned off. Didn't have this problem with other tld's so far.
Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use.
Marcus Jaeger wrote:
To the partners at least, in October 2022 informing them that anything containing digest-type 1 and/or key algorithm 5 oder 7 are no longer supported and will be deleted. This was done last week and digest-type 2 and key algorithm 13 should be used.
Well, as an end user I am not a "partner" in the sense of the registry/registrar agreement, so I never received any communication about this proceeding.
Who would be liable and paying for a possible damage? Where damage in the best case would be junked or non deliverable emails, services not working as expected, additional admin work (you/me), etc.
I guess either the registry (SWITCH) for "just doing this", or the registrars for not passing on this information to their customers... This would be a funny law suit... ;-)
Since end of January 2023 you could not use them anymore.
Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains.
John Howard wrote:
Not sure if/how it relates to this situation, but it’s notable that the DNSSEC key signing ceremony was a couple of days ago?
https://www.iana.org/dnssec/ceremonies/49
I don’t see any deprecations but maybe someone needs an update somewhere?
Probably unrelated coincidence, but thanks for sharing, interesting 3.5h ceremony, didn't watch it in full though... ;-)
Jeroen Massar wrote:
Alg 7 is ancient and deprecated...
Technically, agreed. I am bearing this in my head since months or even years that I should "eventually" change this. Eventually now changed to immediately... Administratively, there is a slight difference between ancient/deprecated and disabled/forbidden. Reminds me of RFC-2119 (MAY, MUST, MUST NOT, etc). Rhetoric question, what is better: a domain signed with a deprecated algorithm, or a non-signed domain from which the holder thinks it is signed?
Benoît Panizzon wrote:
Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
Since DNSSEC was disabled, I guess you can't do a key rollover. Just start over...
I wonder why my registrar never noticed me he would delete my DS records disabling DNSSEC on my domains.
I guess it was the registry that wiped the DS records, not your registrar. At least my registrar's GUI still showed a nice all-green DNSSEC overview with the wiped DS records still in place...
Thanks & have a nice and secure week ;-)
Gruass, Franco
On 01.05.23 11:50, Marcus J via swinog wrote:
G'day
just saw something was missing in my reply. It should say : digest-type 2 and key algorithm 13 should be used.
cheers
Marcus
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
I wasn't a part of this procedure so I cannot answer anything related to that. I can, however, respond to questions for which we make information available online.
If you want specific information about the procedure I suggest you ask your registrar or you can contact SWITCH at registry@nic.ch.
On 01.05.23 14:12, Franco Hug via swinog wrote:
Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use.
You can find the DNSSEC algorithm break down for the end of 2022 for .ch on slide 21:
https://www.nic.ch/export/shared/.content/files/SWITCH_Report_Registry_2022....
DNSSEC algorithm Number Percentage 5 – RSASHA1 45 0.00% 7 – RSASHA1-NSEC3-SHA1 607 0.05% 8 – RSASHA256 97,098 8.96% 10 – RSASHA512 67 0.01% 13 – ECDSAP256SHA256 1,018,855 91.22% 14 – ECDSAP384SHA384 139 0.01% 15 – ED25519 61 0.01% 16 – ED448 14 0.00%
Older reports are published at: https://www.nic.ch/about/
Since end of January 2023 you could not use them anymore.
Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains.
Same PDF has some information on slide 15 which basically states:
* Nov 2022, you can not introduce algo 5 or 7 for a previously unsigned domain * Jan 2023, you can not roll your algo 5 or 7 unless to a more modern algorithm
Cheers, Daniel
Some update
It looks like Gandi at least messed up their Registrar UI.
From their point of view, my 'algo 5' .ch domains have still DNSSEC active but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back. I guess they perform some API calls to Switch and this fails, because both disagree on the DNSSEC status?
On 01.05.23 15:48, Benoît Panizzon via swinog wrote:
It looks like Gandi at least messed up their Registrar UI.
From their point of view, my 'algo 5' .ch domains have still DNSSEC active but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back. I guess they perform some API calls to Switch and this fails, because both disagree on the DNSSEC status?
The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name. See also chapter 6.1 in our Automated DNSSEC Provisioning Guidelines [2]. I don't know if EPP poll messages have been used in the algo 5/7 removal procedure or if registrars received a list of affected domains and were instructed to refresh locally cached state. If the former and the domain state is still wrong then the registrar is not processing EPP poll messages.
The normal answer is that you should contact the registrar and ask him to refresh the domain.
Daniel
[1] https://www.nic.ch/de/security/cds/ [2] https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf
Hi Daniel
The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name.
Yes, trying to understand, how I correctly get rid of my old RRSIG entries without shooting myself in the foot, I came across this whole new dnssec-policy and automatic publishing CDS records via Bind.
Not sure if I have yet fully understood the mechanics. But I have tentatively set it up now and I'll see, if this somehow, by the magic of the internet, caused my DS entries to get refreshed.
Thanks Daniel for your helpful answers. Yes, CDS is also something I always wanted to try, but as usual: no hard pressure, no time... ;-)
Benoît Panizzon wrote:
From their point of view, my 'algo 5' .ch domains have still DNSSEC active
Basically the same behavior I had with my 'algo 7' domains (infomaniak).
but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back.
I did not even try to delete/disable DNSSEC, I was just able to update the existing record (key/algo/hash). Then the update towards the registry was carried out immediately, seems the old values do not matter then. Cannot tell whether that works with Gandi though.
Maybe option #3 besides the nerd and normal answers and worth a try?
Gruass, Franco
On 01.05.23 17:11, Benoît Panizzon via swinog wrote:
Hi Daniel
The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name.
Yes, trying to understand, how I correctly get rid of my old RRSIG entries without shooting myself in the foot, I came across this whole new dnssec-policy and automatic publishing CDS records via Bind.
Not sure if I have yet fully understood the mechanics. But I have tentatively set it up now and I'll see, if this somehow, by the magic of the internet, caused my DS entries to get refreshed.
Luckily I have some historic .ch zone data laying around, so I did a quick analysis of the number of ALG-7 / ALG-5 / DS-1 domains, please find the numbers below.
Seems the wipe-out has been performed in chunks, maybe by registrar. SWITCH willing to share some info?
Also interesing to see that the number of DS-1 hashes in the .ch zone file is raising again. All coming from hosttech. Though by now it seems these are not published anymore.
Gruass, Franco
DATE ALG-7 ALG-5 DS-1 ==== ===== ===== ==== 2023-04-01 530 41 59645 2023-04-02 529 41 59627 2023-04-03 528 41 59466 2023-04-04 527 41 59443 2023-04-05 527 41 59427 2023-04-06 527 41 59394 2023-04-07 526 41 59383 2023-04-08 526 41 59354 2023-04-09 524 41 59332 2023-04-10 524 41 59315 2023-04-11 524 41 59274 2023-04-12 278 28 58756 2023-04-13 279 28 58733 2023-04-14 272 22 57566 2023-04-15 269 22 57543 2023-04-16 269 22 57529 2023-04-17 269 22 57504 2023-04-18 72 19 309 2023-04-19 10 7 133 2023-04-20 10 7 135 2023-04-21 10 7 147 2023-04-22 7 4 88 2023-04-23 7 4 92 2023-04-24 7 4 92 2023-04-25 7 4 91 2023-04-26 7 4 97 2023-04-27 7 4 98 2023-04-28 0 0 0 2023-04-29 0 0 0 2023-04-30 0 0 1 2023-05-01 0 0 1 2023-05-02 0 0 5
caroule-music.ch. 3600 IN DS 7321 8 1 FF2BCD11DBBEB58B15CE581AC4D0B4F0FA7B5AC8 caroulemusic.ch. 3600 IN DS 49924 8 1 B23CB635433B6DF5893FE94BD7F27B91DED2FD3C datalawyer.ch. 3600 IN DS 49765 8 1 73CD7B42648847E43C2CF6A1E4F2680F8C0C20A4 digilawyer.ch. 3600 IN DS 13045 8 1 A5E02D7FF95BACE907F93197A23E45CB65DFF838 workforceag.ch. 3600 IN DS 49996 8 1 98B42F52FE01CB6E593CB463C11E3C602C6F2BB1
On 01.05.23 17:33, Franco Hug wrote:
Thanks Daniel for your helpful answers. Yes, CDS is also something I always wanted to try, but as usual: no hard pressure, no time... ;-)
Benoît Panizzon wrote:
From their point of view, my 'algo 5' .ch domains have still DNSSEC active
Basically the same behavior I had with my 'algo 7' domains (infomaniak).
but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back.
I did not even try to delete/disable DNSSEC, I was just able to update the existing record (key/algo/hash). Then the update towards the registry was carried out immediately, seems the old values do not matter then. Cannot tell whether that works with Gandi though.
Maybe option #3 besides the nerd and normal answers and worth a try?
Gruass, Franco
Am Mon, 1 May 2023 15:48:16 +0200 schrieb Benoît Panizzon via swinog swinog@lists.swinog.ch:
Some update
It looks like Gandi at least messed up their Registrar UI.
Gandi Support confirmed the issue. Their API is getting stuck while trying to remove no longer existing DS entries from the ch TLD, preventing adding new ones.
-
Benoît Panizzon -
Daniel Stirnimann -
Franco Hug -
swinog@klingonsec.ch