I have a .de domain registered via do.de .
I set up the desec nameservers in the configuration of my domain (aaron-schaal.de). However, enabling DNSSEC gives me the following error message (probably from denic):
Nameserver error [ERROR: 216 No visible DNSKEY found signing the DNSKEY RR obtained in response]
There is no possibility to enter the DS keys on do.de, but only DNSSEC records.
I guess they need the 256 DNSSEC record for the zone, not only the 257 key record. (however I am very new to DNSSEC at all… But it has worked with a 256 record from another nameserver/DNS provider (1984.hosting) already)
Is there any way to retrieve my 256 DNSSEC record from desec.io?
I do not know what (if any) mechanisms do.de has for communicating the DS records to the parent zone (de.). But if you registered the domain through them, then they would need to communicate with DENIC for this.
As for the question about 256 (ZSK) vs. 257 (KSK) DNSKEY records: deSEC uses a CSK (Combined Signing Key). There is no 256 (ZSK). A CSK is basically identical to a KSK but it is used to sign both DNSKEY records and the rest of the records in the zone. This is a perfectly valid setup. The only drawback is key rotation which requires an update of the DS records in the parent zone.
Note that I have no knowledge of how do.de works. I had never heard of them before your post.
Possibly for do.de you need to differentiate between DNS management and domain management. As you are using deSEC DNS servers the former is irrelevant w.r.t do.de. But in the same area where you changed the NS records (the delegation of the domain to deSEC name servers) you should find a way to enter either the DS records, or the KSK/CSK DNSKEY from which the DS records can be generated. If not, contact their support.
I have looked into this for a bit and found that the error can be reproduced using the deNIC online NAST tool at Nameserver Check - DENIC eG. I filled in your domain name, our name servers (ns1.desec.io; ns2.desec.org) and the DNSKEY (Algorithm 13, SEP set (“KSK/CSK”), and Y6BKe18HA04CBre32lLvHMiE6kYO8dLqdHHo7aJlmxrSwklw2/i91eQM BQDfn1gsxZN92Cqzxg26zknmXfUp6g== as public key value (also tried without the space…)). It will spit out the same error that you mentioned above.
Mindestens ein sichtbarer zur Registrierung ĂĽbergebener SchlĂĽssel muss das DNSKEY-
RRSet gĂĽltig signieren [sonst Ausgabe von ERROR]. Diese Anforderung dient der Umsetzung des Proof of Possession.
In a rough translation,
At least one visible key passed for registration must validly sign the DNSKEY-
RRSet [otherwise output of ERROR]. This requirement is used to implement the proof of possession.
I am reading this as NAST saying that the RRSIG on the DNSKEY is not valid. For the record, it looks like this:
I have entered the 257 KSK key already in the webinterface of do.de , however there is that error message.
It is a bit strange since the 256 CSK key from 1984.hosting was working fine on do.de… However, 1984.hosting doesn’t offer the options I need, whereas desec.io does!
But there is no way to enter a DS key on do.de …
Thanks for reproducing my issue! Very strange that the NAST check works on your domain, but not on mine…!
I will write to the do.de support and ask them to assist me …
FWIW, the de registry does not accept DS records in general. They only accept DNSKEY as input, and compute DS records themselves. (They are essentially hashes of DNSKEY records.)
We have contacted deNIC who confirmed that the DNSSEC setup on our end is correct, despite the test not passing. We will update this thread once deNIC gets back to us with more information.
Nils sent me a new DNSSEC record that now works! It was a issue of deNIC’s NAST test. deNIC seems to be working on an improvement for their NAST test that creates less false positives…