According to deSEC’s instructions, I now need to enable DNSSEC by forwarding the DNSSEC record to my domain registrar — Joker — in either DS or DNSKEY format.
My understanding is that Joker only needs the DS record, since deSEC is acting as the DNS provider and handles key signing.
However, in the domain settings for my domain, I cannot find a way to submit the DS record. The form I do see appears to only accept DNSKEY format (with fields like kd-pubkey, kd-alg, etc.).
Does anyone know how to correctly submit the DS record to complete the DNSSEC delegation? Or did I misunderstand and is this not necessary?
If your NS delegation records in the parent domain are indeed set to deSEC’s nameservers then your registrar (Joker.com) will need to set the DS records in the parent domain.
Note: Setting the NS or DS records in the domain’s zone is not sufficient. Both need to be set the parent domain.
Whether your registrar needs the DS records or the DNSKEY records (which btw. contain the public key only, not the private key) depends on their workflow and sometimes on the parent domain registry. Given a DNSKEY the DS records can be calculated.
As for the procedures for Joker.com, I have no experience with them. If they don’t have a web interface for this then you will need to contact their support. And they will probably tell you what data they need. You should probably start by reading their FAQ on the subject: DNSSEC | Joker.com FAQ
Joker’s DNSSEC faq at DNSSEC | Joker.com FAQ suggests that the DNSSEC settings page would a render a form, ‘Secure DNS (DNSSEC)’ where one could submit a DNSSEC record in the Domain Signer (DS) format.
However, to me the settings page renders a similar form but only with fields that correspond with a DNSSEC record in the DNSKEY format.
In fact, Joker appears to have pre-populated the correct values for a DNSKEY record into that form - pulled from deSEC?
Since I can’t find any DS format form on Joker, I have now saved the pre-populated DNSKEY format form.
In the meantime, I am yet to reive a reply from Joker support.
If this solves the matter, I thank you very much, fiwswe!
When you log in at deSEC.io, navigate to the list of domains and click the small “i” icon next to the domain of interest. It shows the delegation information in both DS and DNS KEY format.
That is entirely possible. deSEC provides both the CDS / CDNSKEY records as well as the RFC 9615 data meant to allow for automated provisioning of the DS records in the parent domain.
Using this data to at least prepopulate a web form is better than nothing (and sadly better than many other domain registrars) Of course fully automating the process would be even better …
It worked, so that’s great! One last hiccup I had was that the DNS delegation and propagation was held up because I had omitted the trailing dots at the end of deSEC’s nameserver names in Joker. But now everything seems to work.
One smallish thing left: at https://dnsviz.net/, when I have my domain name analysed, the report says that the contents of the DS RRset are inconsistent with those of the CDS RRset. I think that the Child Domain Signer is something Joker should take care of, ie. add to the “zone”? Well, hopefully this will not cause any trouble.
You can safely ignore these warnings. DNSViz should probably be less critical here.
That would be true for a zone delegated to Joker’s DNS servers.
But when you are using an external DNS service, such as deSEC, that service needs to set these records. Joker has no write access to the zone in this case. And since the NS delegation records point to deSEC no Joker server will ever receive any DNS queries for the zone. So Joker can’t do anything about the CDS (or any other) RRset in the zone. They are completely out of the picture regarding DNS. Their only remaining role is that of domain registrar.
Thank you for the explanation, fiwswe. I read somewhere that if the CDS is not properly set, there could be a risk of “drifting”. Do you know if, in this case, deSEC does (or should?) set the CDS?
You can easily check this using dig your.domain.tld. cds and dig your.domain.tld. cdnskey.
Or even: dig @ns1.desec.io. +norec your.domain.tld. cds if you want to be sure you are getting an answer from a deSEC NS.
Of course fully automating the process would be even better …