[arin-tech-discuss] DNSSEC Signing of reverse domains - fails with Algorithm 13
Mark Elkins
mje at posix.co.za
Thu Mar 5 13:31:57 EST 2020
Hi,
Just joined the list and I've searched back 12 month and see no similar
topic.
I've been DNSSEC Signing my domains for several years - probably as I
was teaching others how to do that.
This includes my Reverse DNS too.
I am in the AFRINIC Region.
I have some Legacy IPv4 address space - originally from ARIN.
192.96.24.0 - 192.96.24.31 (and others)
About six months ago - I started the process of changing everything from
Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA Curve P-256 with
SHA-256). From my point of view, everything has been working completely
automatically - except for the Reverse DNS - where I have to go to
"my.afrinic.net" and manually update DS Records (there is no automation
for this at AFRINIC).
Please look at 24.96.192.in-addr.arpa. and 25.96.192.in-addr.arpa.
24 is no longer signed (because of this problem), 25 is signed (algo 13)
The Parent for the legacy block 24.96.192.in-addr.arpa is
192.in-addr.arpa - who's nameservers include z.arin.net.
In that zone file - there is a DS record for 25.96.192.in-addr.arpa:-
25.96.192.in-addr.arpa. 86289 IN DS 36223 13 2
5DA9B9AC1C9D9C72434BEC68E9C5CF36A10FA480E6551CC9F2538745 4932E14E
(This is the correct DS record - you can ask for the CDS for this from
control.vweb.co.za)
...but asking a DNSSEC aware recursive resolver gives....SERVFAIL.
dig @1.1.1.1 25.96.192.in-addr.arpa ns
; <<>> DiG 9.14.8 <<>> @1.1.1.1 25.96.192.in-addr.arpa ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
This worked perfectly with Algorithm 8, before I moved to Algorithm 13.
*When will the DNS system at ARIN support Algorithm 13?*
My IPv6 Reverse DNS signed with DNSSEC works perfectly with Algorithm 13.
$ dig -x 2001:42a0::1 @1.1.1.1 +dnssec +multiline
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa.
7200 IN PTR control.vweb.co.za.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa.
7200 IN RRSIG PTR 13 34 7200 (...
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20200305/763a225f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20200305/763a225f/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20200305/763a225f/attachment.png>
More information about the arin-tech-discuss
mailing list