SOA Error Using Voiden Registra

markdesilva · November 3, 2023, 2:46am

I added desec as my namesevers to my domain about 12 hours ago. The SOA shows up in whois information immediately:

Name Servers:
    NS1.DESEC.IO
    NS2.DESEC.ORG

DNSSEC:
    signed

However none of my updates work. When I used dig to query the SOA using google, I get this error and no SOA shows up.

dig @8.8.8.8 -t soa chrysler.org.sg

; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 -t soa chrysler.org.sg
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19118
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; OPT=15: 00 09 4e 6f 20 44 4e 53 4b 45 59 20 6d 61 74 63 68 65 73 20 44 53 20 52 52 73 20 6f 66 20 63 68 72 79 73 6c 65 72 2e 6f 72 67 2e 73 67 (“…No DNSKEY matches DS RRs of chrysler.org.sg”)
;; QUESTION SECTION:
;chrysler.org.sg. IN SOA

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 03 10:37:27 +08 2023
;; MSG SIZE rcvd: 93

If I use n1.desec.io as the nameserver I get “badcookie retrying” but otherwise correct response:

dig @ns1.desec.io -t soa chrysler.org.sg
;; BADCOOKIE, retrying.

; <<>> DiG 9.16.1-Ubuntu <<>> @ns1.desec.io -t soa chrysler.org.sg
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1223
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1a6aa76d6f78c81c0100000065445d6047a1d20d6eeccab6 (good)
;; QUESTION SECTION:
;chrysler.org.sg. IN SOA

;; ANSWER SECTION:
chrysler.org.sg. 300 IN SOA get.desec.io. get.desec.io. 2023113015 86400 3600 2419200 3600

;; Query time: 36 msec
;; SERVER: 45.54.76.1#53(45.54.76.1)
;; WHEN: Fri Nov 03 10:39:28 +08 2023
;; MSG SIZE rcvd: 120

DS records have already been submitted to the registra and updated.

DNSSEC Analyzer shows everything green except these 2:

None of the 1 DNSKEY records could be validated by any of the 1 DS records
The DNSKEY RRset was not signed by any trusted keys

Usually even if the DNSSEC has issues like this, the RRs will still get propogated and the SOA will show correctly, so I’m not sure whats going on here.

Anyone have any ideas on how to fix this?

Thank you.

peter · November 3, 2023, 8:15am

Hi markdesilva,

Thank you for your message, and welcome to deSEC!

The DS records published by the parent is the following:

$ dig +short DS chrysler.org.sg
64131 14 2 A12EC53D8C9D405BFE1C644D8C479162F7D463C662D39E73F6F1EA64 F9DACE96

It seems like this is not the correct value. You’ll need to get the right one from the deSEC web portal, and update your DS record.

Stay secure,
Peter

markdesilva · November 3, 2023, 8:28am

Thank you Peter, I’m contacting Voiden now on this.

Best,
Mark

markdesilva · November 3, 2023, 8:55am

Just finished speaking with Voiden, apparently they didn’t update the DS as they told me they did. They just did it and now everything is working fine - thank you again!

Best,
Mark