ERROR: 216 No visible DNSKEY found signing the DNSKEY RR obtained in response

Hi,

I have a .de domain registered via do.de .
I set up the desec nameservers in the configuration of my domain (aaron-schaal.de). However, enabling DNSSEC gives me the following error message (probably from denic):

Nameserver error [ERROR: 216 No visible DNSKEY found signing the DNSKEY RR obtained in response]

There is no possibility to enter the DS keys on do.de, but only DNSSEC records.
I guess they need the 256 DNSSEC record for the zone, not only the 257 key record. (however I am very new to DNSSEC at all… But it has worked with a 256 record from another nameserver/DNS provider (1984.hosting) already)

Is there any way to retrieve my 256 DNSSEC record from desec.io?

This issue is very similar to Denic Error 217 "No Visible DNSKEY Found" … However, the error code is 216 , not 217 …

Do you have any idea what I can do (other than contacting the do.de support)?

Thanks!

Hi phonon112358,

Your real problem seems to be that the de. zone does not contain the DS records for your domain.

Take a look at:
https://dnsviz.net/d/aaron-schaal.de/dnssec/

I do not know what (if any) mechanisms do.de has for communicating the DS records to the parent zone (de.). But if you registered the domain through them, then they would need to communicate with DENIC for this.

As for the question about 256 (ZSK) vs. 257 (KSK) DNSKEY records: deSEC uses a CSK (Combined Signing Key). There is no 256 (ZSK). A CSK is basically identical to a KSK but it is used to sign both DNSKEY records and the rest of the records in the zone. This is a perfectly valid setup. The only drawback is key rotation which requires an update of the DS records in the parent zone.

Note that I have no knowledge of how do.de works. I had never heard of them before your post.

Possibly for do.de you need to differentiate between DNS management and domain management. As you are using deSEC DNS servers the former is irrelevant w.r.t do.de. But in the same area where you changed the NS records (the delegation of the domain to deSEC name servers) you should find a way to enter either the DS records, or the KSK/CSK DNSKEY from which the DS records can be generated. If not, contact their support.

HTH
fiwswe

Hi phonon112358,

thanks for your message and welcome to deSEC! :slight_smile:

I have looked into this for a bit and found that the error can be reproduced using the deNIC online NAST tool at Nameserver Check - DENIC eG. I filled in your domain name, our name servers (ns1.desec.io; ns2.desec.org) and the DNSKEY (Algorithm 13, SEP set (“KSK/CSK”), and Y6BKe18HA04CBre32lLvHMiE6kYO8dLqdHHo7aJlmxrSwklw2/i91eQM BQDfn1gsxZN92Cqzxg26zknmXfUp6g== as public key value (also tried without the space…)). It will spit out the same error that you mentioned above.

The documentation refers to Chapter 3.6.3 of the NAST test docs, which says

Mindestens ein sichtbarer zur Registrierung ĂĽbergebener SchlĂĽssel muss das DNSKEY-
RRSet gĂĽltig signieren [sonst Ausgabe von ERROR]. Diese Anforderung dient der Umsetzung des Proof of Possession.

In a rough translation,

At least one visible key passed for registration must validly sign the DNSKEY-
RRSet [otherwise output of ERROR]. This requirement is used to implement the proof of possession.

I am reading this as NAST saying that the RRSIG on the DNSKEY is not valid. For the record, it looks like this:

$ dig DNSKEY aaron-schaal.de @ns2.desec.org +dnssec +short
257 3 13 Y6BKe18HA04CBre32lLvHMiE6kYO8dLqdHHo7aJlmxrSwklw2/i91eQM BQDfn1gsxZN92Cqzxg26zknmXfUp6g==
DNSKEY 13 2 3600 20220526000000 20220505000000 24272 aaron-schaal.de. Rm5hxjT4PbsPo27z8ItM8P16QUc1geTCjvNJ+oLXEbIAOAy1sCeakoAB +j+L667Mx2j3Djv+S+rC7M0amSSDZw==

To check if this signature is valid for the DNSKEY contents, I have employed DNSViz. On mouse hover, it shows that the signature is indeed valid.

For comparison, nils-wisiol.de is a domain with DNSSEC configuration same as on aaron-schaal.de, but passes the NAST test.

We will continue to investigate this issue and get back to you as soon as possible!

1 Like

Thank you for your replies! :wink:

That’s not the issue I guess…

I have entered the 257 KSK key already in the webinterface of do.de , however there is that error message.

It is a bit strange since the 256 CSK key from 1984.hosting was working fine on do.de… However, 1984.hosting doesn’t offer the options I need, whereas desec.io does! :wink:

But there is no way to enter a DS key on do.de …

Thanks for reproducing my issue! Very strange that the NAST check works on your domain, but not on mine…!

I will write to the do.de support and ask them to assist me …

FWIW, the de registry does not accept DS records in general. They only accept DNSKEY as input, and compute DS records themselves. (They are essentially hashes of DNSKEY records.)

Stay secure,
Peter

1 Like

We have contacted deNIC who confirmed that the DNSSEC setup on our end is correct, despite the test not passing. We will update this thread once deNIC gets back to us with more information.

1 Like

Nils sent me a new DNSSEC record that now works! It was a issue of deNIC’s NAST test. deNIC seems to be working on an improvement for their NAST test that creates less false positives…