[arin-tech-discuss] DNSSEC Signing of reverse domains - fails with Algorithm 13
Michael Sinatra
michael+ppml at burnttofu.net
Thu Mar 5 13:42:02 EST 2020
I don't think ARIN support of alg 13 is an issue. I run plenty of
ARIN-delegated reverse domains with alg 13 and alg 14 that work fine.
I think the problem is that your RRSIGs are expired:
;; ANSWER SECTION:
25.96.192.in-addr.arpa. 172771 IN NS secdns2.posix.co.za.
25.96.192.in-addr.arpa. 172771 IN NS secdns1.posix.co.za.
25.96.192.in-addr.arpa. 172771 IN NS control.vweb.co.za.
25.96.192.in-addr.arpa. 86369 IN RRSIG NS 8 5 86400 *20191228210114*
20191128210114 65283 25.96.192.in-addr.arpa.
C/kpJN0ZZW77w8GSrZ3aKiV3IIRnFZ2bRYTlN6gT/2seOA3YSDL/iwuv
nkhSbR+PFtTjZM73hp9RFHt9XmutwVOE+fT6adX56ofCBS7YG463XiOA
uDWarUkUUFf+ZyKXLbwqVRyNLXPJl0hgadNpEt4wfTUSn39ZUIq+a/9y d54=
25.96.192.in-addr.arpa. 86369 IN RRSIG NS 13 5 86400 *20191228210114*
20191128210114 10628 25.96.192.in-addr.arpa.
9ZSyvefs5uot0GnEbXj+A88bzFTfchgzrJmh0ZmGfCieTX6lyLdAjfBc
rEq2VtFIxXAP8cHDUCr0fU+SRxqKew==
(NOTE: emphasis added in the expired RRSIGs above)
michael
On 2020-03-05 10:31, Mark Elkins wrote:
> Hi,
>
> Just joined the list and I've searched back 12 month and see no similar
> topic.
>
> I've been DNSSEC Signing my domains for several years - probably as I
> was teaching others how to do that.
> This includes my Reverse DNS too.
> I am in the AFRINIC Region.
> I have some Legacy IPv4 address space - originally from ARIN.
> 192.96.24.0 - 192.96.24.31 (and others)
>
> About six months ago - I started the process of changing everything from
> Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA Curve P-256 with
> SHA-256). From my point of view, everything has been working completely
> automatically - except for the Reverse DNS - where I have to go to
> "my.afrinic.net" and manually update DS Records (there is no automation
> for this at AFRINIC).
>
> Please look at 24.96.192.in-addr.arpa. and 25.96.192.in-addr.arpa.
> 24 is no longer signed (because of this problem), 25 is signed (algo 13)
>
> The Parent for the legacy block 24.96.192.in-addr.arpa is
> 192.in-addr.arpa - who's nameservers include z.arin.net.
>
> In that zone file - there is a DS record for 25.96.192.in-addr.arpa:-
>
> 25.96.192.in-addr.arpa. 86289 IN DS 36223 13 2
> 5DA9B9AC1C9D9C72434BEC68E9C5CF36A10FA480E6551CC9F2538745 4932E14E
> (This is the correct DS record - you can ask for the CDS for this from
> control.vweb.co.za)
>
> ...but asking a DNSSEC aware recursive resolver gives....SERVFAIL.
>
> dig @1.1.1.1 25.96.192.in-addr.arpa ns
>
> ; <<>> DiG 9.14.8 <<>> @1.1.1.1 25.96.192.in-addr.arpa ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39329
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ...
>
> This worked perfectly with Algorithm 8, before I moved to Algorithm 13.
>
> *When will the DNS system at ARIN support Algorithm 13?*
>
> My IPv6 Reverse DNS signed with DNSSEC works perfectly with Algorithm 13.
>
> $ dig -x 2001:42a0::1 @1.1.1.1 +dnssec +multiline
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 7200
> IN PTR control.vweb.co.za.
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 7200
> IN RRSIG PTR 13 34 7200 (...
>
>
> --
>
> Mark James ELKINS - Posix Systems - (South) Africa
> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> Posix SystemsVCARD for MJ Elkins
>
>
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> https://lists.arin.net/mailman/listinfo/arin-tech-discuss
>
More information about the arin-tech-discuss
mailing list