Hello everyone,
before I start, it seems that as a new user I can’t put more than two links in a post, so I’ll create placeholders like (1) and (2) wherever a link with more information would be appropriate and I’ll try to add those links in replies to my post if I’m allowed to do that. If that doesn’t work, I guess it will be understandable enough without the links as well.
I’ve been trying to get DNSSEC configured for my domain flo-films.de for over a month now, making my way through several stages of the support team at IONOS. After convincing 1st level support that DNSSEC is a thing and I’d like to be forwarded to 2nd level instead of closing my ticket instantly, I now had multiple rounds of me sending information they want and them telling me why this still is not what they expect, so I’d like to make sure that I’ve indeed understood DNSSEC correctly - which I suppose after reading quite a lot of DNSSEC related documents at IETF, ICANN and DENIC - and that everything is configured correctly at deSEC - which I suppose because the skill level here seems to be way above what IONOS has to offer to consumers. Anyway, I’d be glad if you could verify my understanding of the situation, especially since IONOS support meanwhile reverted to just throwing whatever I send them against their API and sending me back the error messages (or the parts of it which they deem relevant), lol
So, when I first got through to the hostmasters, they said they needed the data in this format (copy-pasted verbatim from the mail I got):
"extensions": {
"secDNS": {
"dsData": [ {
"keyTag": 2371,
"alg": 13,
"digestType": 2,
"digest": "2D759783B25691A2E3375D42DAC27919F307E8505742947C7FA0A0A11D7098A4",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 13,
"pubKey": "mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKL+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ=="
}}]}}}
So I took the information available from deSEC for flo-films.de and sent them the following, mentioning to them that they should try them one after the other - Variant 1 is just Variants 2 and 3 in a single JSON payload:
// Variant 1
{
"extensions": {
"secDNS": {
"dsData": [
{
"keyTag": 35889,
"alg": 13,
"digestType": 2,
"digest": "1923490e3262f1cf67bf9dc12d2f0d117741c6f4e51967c50b3a3459feea7dbd",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 13,
"pubKey": "Vw2i93xnVROPvpYTgUuoMxZjqbYjPMh85Qg7iIAVDO8uVn8+QmPYjfCb0OoEm+7VYmQMlebMY2htJWjdmhhtIg=="
}
},
{
"keyTag": 35889,
"alg": 13,
"digestType": 4,
"digest": "82a2a45ceaef1988f301a8a3f76c5c43996a6928047394853aeb89676f708cae8ecc2d187f08f75e4b713ab489f76ee4",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 13,
"pubKey": "Vw2i93xnVROPvpYTgUuoMxZjqbYjPMh85Qg7iIAVDO8uVn8+QmPYjfCb0OoEm+7VYmQMlebMY2htJWjdmhhtIg=="
}
}
]
}
}
}
// Variant 2
{
"extensions": {
"secDNS": {
"dsData": [
{
"keyTag": 35889,
"alg": 13,
"digestType": 2,
"digest": "1923490e3262f1cf67bf9dc12d2f0d117741c6f4e51967c50b3a3459feea7dbd",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 13,
"pubKey": "Vw2i93xnVROPvpYTgUuoMxZjqbYjPMh85Qg7iIAVDO8uVn8+QmPYjfCb0OoEm+7VYmQMlebMY2htJWjdmhhtIg=="
}
}
]
}
}
}
// Variant 3
{
"extensions": {
"secDNS": {
"dsData": [
{
"keyTag": 35889,
"alg": 13,
"digestType": 4,
"digest": "82a2a45ceaef1988f301a8a3f76c5c43996a6928047394853aeb89676f708cae8ecc2d187f08f75e4b713ab489f76ee4",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 13,
"pubKey": "Vw2i93xnVROPvpYTgUuoMxZjqbYjPMh85Qg7iIAVDO8uVn8+QmPYjfCb0OoEm+7VYmQMlebMY2htJWjdmhhtIg=="
}
}
]
}
}
}
They then sent me back this error message, suggesting that they did not follow my instructions and simply stopped after the first variant:
<singleton-list>
<com.oneandone.domain.regsys.model.generic.Error>
<code>PARAMETER_VALUE_POLICY_ERROR</code>
<fields class="sorted-set"/>
<parameters>
<string>"Dnskey" invalid</string>
<string>dnskeys are not unique</string>
</parameters>
</com.oneandone.domain.regsys.model.generic.Error>
</singleton-list>
I then told them to try the second and third variant and report back to me. They then told me that I would have to pick one of the two records, so I responded to them that afaik multiple DS RRs should be possible and are indeed recommended as this is simply publishing two hashes for the same key, refering them to the RFC to make my point (1). I then also told them to stick with Variant 2 with SHA256 hash in case their particular implementation did not support multiple DS RRs.
The last response I got from the today is that they tried Variant 2 and it returned this error message:
PARAMETER_VALUE_SYNTAX_ERRORNameserver error ERROR: 216 No visible DNSKEY found signing the DNSKEY RR obtained in response Please ask customer to review the DNSSEC data provided.
So I did a little digging regarding that error message and apparently this is an error returned by DENIC, documented here: (2) and here: (3)
To make this even more funny, I then used DENIC’s mentioned tool at (4) to check my domain against the DNSKEY data provided by deSEC and DENIC presented me with a success.
So here I am, wondering if I’m totally off in the wrong direction, and - if I am not - how to explain this to IONOS staff in a way that finally gets them to set the records I need.
If you made it until here, thanks for reading til the end, I’d be glad to hear your advice.
I’ve read through your post and could not spot an error in what you are trying to do. So, I’m sorry to say that the only advise I can give is to find a domain registrar that is DNSSEC aware. If you need a recommendation I can do so privately, via the