From 04989aec35de8f45e689de0d7b5826fb1cf6fb6f Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Sat, 11 Jan 2025 16:13:31 +0100
Subject: DNS: Update article, clarify INWX
---
_drafts/migrating-dns-servers.md | 44 +++++++++++++++++++++++++++-------------
1 file changed, 30 insertions(+), 14 deletions(-)
diff --git a/_drafts/migrating-dns-servers.md b/_drafts/migrating-dns-servers.md
index 60aff4a..668356f 100644
--- a/_drafts/migrating-dns-servers.md
+++ b/_drafts/migrating-dns-servers.md
@@ -168,24 +168,37 @@ other TLDs and other registrars.
NSEC3-RRSIG|don't import NSEC3-RRSIG). All variants failed. I have no clue
how this is supposed to work cleanly. [^7]
-1. Wait at least 24 hours (TTLs, DNS propagation time). \
- *I am currently at this step. Further steps are guesswork*.
-1. Let PowerDNS output its own keys it generated for the zone. Unfortunately,
+1. Wait at least 24 hours (TTLs, DNS propagation time).
+1. Let PowerDNS output its own keys it generated for the zone. Unfortunately,
`pdnsutil export-zone-dnskey $zone $keynr` *does not output a completely
valid record*, neither does `pdnsutil export-zone-ds $zone`. These outputs
- are missing the TTLs. At least with PowerDNS 4.7.3 in the Debian stable
- repos. I saw some tools like dnsviz break when you enter the records as-is.
- No idea what would happen with INWX.
-
- I am not sure, maybe I would have to temporarily run `unset-presigned' (see
- below) so PowerDNS actually outputs the new keys?
+ are missing the TTLs in the second column, at least with PowerDNS 4.7.3 in
+ the Debian stable repos. You have to add those yourself. I saw some tools
+ like dnsviz break when you enter the records as-is.
+
+ **Important**, I had to temporarily run `unset-presigned $zone' (see
+ below) before running `pdnsutil export-zone-ds`, so PowerDNS actually outputs
+ the hash of the new key(s)! Otherwise it will only show the current keys
+ signature. Otherwise, you may also use online tools that convert the DNSKEY
+ to a DS record.
1. Have a copy of the *current* DS / DNSKEY records as well (`dig` is your
friend).
-1. Set the DNSSEC from "auto" to "manual" in the INWX web interface. Enter *both
- the old and the new* DNSKEY (and DS? Depends on the registrar / registry, I
- guess) records. \
- As far as I know, this will be sent to the parent zone.
-1. Wait at least 24 hours (TTLs, DNS propagation time).
+1. Set the DNSSEC from "auto" to "manual" in the INWX web interface.
+ * Delete all keys from the domain.
+ * Add DNSSEC again for the domain, in manual mode.
+ * Add DNSKEY and DS records of the old keys.
+ * Add keys, insert DNSKEY and DS records emitted by pdnsutil.
+ As far as I know, this will be sent to the parent zone. [^8]
+1. After I got an email from INWX confirming the new DNSSEC entries, I ran
+ dnsviz again and nearly got an heart attack, because there were a lot of
+ errors and red exclamation marks. Actually, the DNSSEC was still valid (i.e.
+ not returning bogus records). The tool only complained about
+
+ The DS RRset for the zone included algorithm 13 (ECDSAP256SHA256), but no
+ RRSIG with algorithm 13 covering the RRset was returned in the response.
+1. Wait at least 24 hours (TTLs, DNS propagation time). - Depeding on the
+ previous DS records TTL. \
+ *I am currently at this step. Further steps are guesswork*.
1. `pdnsutil unset-presigned $zone`. I guess at this point you must or should
* stop PowerDNS, [^5]
* edit the zone (clearing out the RRSIGs you imported. If I understood
@@ -228,6 +241,9 @@ headache for me.
[#9263](https://github.com/PowerDNS/pdns/issues/9263) and
[#8892](https://github.com/PowerDNS/pdns/issues/8892)
+[^8]:
+ Actually, I have no idea why IWNX wants me to enter both the DS and the
+ DNSKEY. Only the DS gets entered in the DENIC servers.
<!-- vim: set ft=markdown tw=80 ai tabstop=4 shiftwidth=4 expandtab: -->
--
cgit v1.2.3