From 04989aec35de8f45e689de0d7b5826fb1cf6fb6f Mon Sep 17 00:00:00 2001 From: uvok cheetah Date: Sat, 11 Jan 2025 16:13:31 +0100 Subject: DNS: Update article, clarify INWX --- _drafts/migrating-dns-servers.md | 44 +++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 14 deletions(-) (limited to '_drafts') diff --git a/_drafts/migrating-dns-servers.md b/_drafts/migrating-dns-servers.md index 60aff4a..668356f 100644 --- a/_drafts/migrating-dns-servers.md +++ b/_drafts/migrating-dns-servers.md @@ -168,24 +168,37 @@ other TLDs and other registrars. NSEC3-RRSIG|don't import NSEC3-RRSIG). All variants failed. I have no clue how this is supposed to work cleanly. [^7] -1. Wait at least 24 hours (TTLs, DNS propagation time). \ - *I am currently at this step. Further steps are guesswork*. -1. Let PowerDNS output its own keys it generated for the zone. Unfortunately, +1. Wait at least 24 hours (TTLs, DNS propagation time). +1. Let PowerDNS output its own keys it generated for the zone. Unfortunately, `pdnsutil export-zone-dnskey $zone $keynr` *does not output a completely valid record*, neither does `pdnsutil export-zone-ds $zone`. These outputs - are missing the TTLs. At least with PowerDNS 4.7.3 in the Debian stable - repos. I saw some tools like dnsviz break when you enter the records as-is. - No idea what would happen with INWX. - - I am not sure, maybe I would have to temporarily run `unset-presigned' (see - below) so PowerDNS actually outputs the new keys? + are missing the TTLs in the second column, at least with PowerDNS 4.7.3 in + the Debian stable repos. You have to add those yourself. I saw some tools + like dnsviz break when you enter the records as-is. + + **Important**, I had to temporarily run `unset-presigned $zone' (see + below) before running `pdnsutil export-zone-ds`, so PowerDNS actually outputs + the hash of the new key(s)! Otherwise it will only show the current keys + signature. Otherwise, you may also use online tools that convert the DNSKEY + to a DS record. 1. Have a copy of the *current* DS / DNSKEY records as well (`dig` is your friend). -1. Set the DNSSEC from "auto" to "manual" in the INWX web interface. Enter *both - the old and the new* DNSKEY (and DS? Depends on the registrar / registry, I - guess) records. \ - As far as I know, this will be sent to the parent zone. -1. Wait at least 24 hours (TTLs, DNS propagation time). +1. Set the DNSSEC from "auto" to "manual" in the INWX web interface. + * Delete all keys from the domain. + * Add DNSSEC again for the domain, in manual mode. + * Add DNSKEY and DS records of the old keys. + * Add keys, insert DNSKEY and DS records emitted by pdnsutil. + As far as I know, this will be sent to the parent zone. [^8] +1. After I got an email from INWX confirming the new DNSSEC entries, I ran + dnsviz again and nearly got an heart attack, because there were a lot of + errors and red exclamation marks. Actually, the DNSSEC was still valid (i.e. + not returning bogus records). The tool only complained about + + The DS RRset for the zone included algorithm 13 (ECDSAP256SHA256), but no + RRSIG with algorithm 13 covering the RRset was returned in the response. +1. Wait at least 24 hours (TTLs, DNS propagation time). - Depeding on the + previous DS records TTL. \ + *I am currently at this step. Further steps are guesswork*. 1. `pdnsutil unset-presigned $zone`. I guess at this point you must or should * stop PowerDNS, [^5] * edit the zone (clearing out the RRSIGs you imported. If I understood @@ -228,6 +241,9 @@ headache for me. [#9263](https://github.com/PowerDNS/pdns/issues/9263) and [#8892](https://github.com/PowerDNS/pdns/issues/8892) +[^8]: + Actually, I have no idea why IWNX wants me to enter both the DS and the + DNSKEY. Only the DS gets entered in the DENIC servers. -- cgit v1.2.3