Hello, I have changed the name server of my domain to deSEC. I have checked my domain with various DNSSEC tools and have received warnings.
Here is a screenshot:
Is there anything I can do about this? Is this a security risk or does it have serious consequences for me?
Thank you for your answers in advance!
Hello @Secono,
Did you update the DNS to the domain provider?
Use the grey circled i to get the information shown below for your domain.
“You also need to forward the following DNSSEC information to your domain provider. The exact steps depend on your provider: You may have to enter the information as a block in either DS format or DNSKEY format , or as individual values .”
An inconsistency can happen if you (or your registrar) set up only one DS record, although deSEC publishes two.
If that is the case, there is nothing to worry about. You can safely ignore the warning. Just make sure that DNSViz shows “secure” for the “delegation status” and “DNSKEY/DS/NSEC status”.
What you can do about it is setting the DS records at your registrar to match up exactly with the CDS records/your DNSSEC information. If your registrar supports it, that is. Some registrars do not support all hash/digest algorithms (e.g. only SHA-256, but not SHA-384), some do not support multiple DS records, etc.
Hello!
Thank you very much for your answers.
I have entered the DNSKEY correctly at my registrar.
I’m sorry if I’m asking a stupid question now. what do I need to do to get the CDS that published a record with SHA-384 to be supported by my registrar? Do I need a new DNSKEY that I have to publish?
DNSViz indicates that my domain is secure. Nevertheless, this error bothers me a lot…
Thank you very much.
I did a bit of reading again. The DNSKEY, which is created when deSEC is set up, is ECDSA P-256 with SHA256. The CDS record has two records for the DNSKEY. One for my stored DNSKEY with SHA256 and one for a DNSKEY (?) with SHA384. I don’t have another DNSKEY, only the first one when I set up deSEC. How can I create another DNSKEY that also matches the entry in the CDS with SHA384?
I have written to my registrar and hope that they will take over the DS record provided by deSEC so that my DNSViz warning can be resolved.
This is the error! My registrar has been asleep…
Hi Secono,
There is only one DNSKEY for your domain. DS records are computed from DNSKEY records by computing a hash, and there are multiple ways to do that, depending on the hash algorithm chosen.
Hash algorithm (= digest type) 2 is mandatory, and 4 is optional. As long as the DS record with digest type 2 is there, there is no problem.
As @black hinted, this is a display issue in DNSviz. Your registrar has done their job. We’ve been in touch with DNSviz to get this fixed.
Stay secure,
Peter
Ok, thank you very much. I would also like to thank you for your great service, your work is wonderful.
