Using deSEC with eu.org domain and DNSSEC (solution)

Hey everyone!

It has taken me a while but i finally figured out how to configure DNSSEC when using a eu.org domain with DNS managed by deSEC. Sharing this info here so others can find it, i didnt have any luck in my own research.

For those unaware, you can apply for a free domain at https://nic.eu.org (yes a real free domain, not subdomains etc). They are a non-profit organization that tries to keep the .org TLD alive. In case you apply for a domain: I dont think you need to be a resident of the EU or anything, and expect some wait time. Some of my domains were granted after 1-2 days, some took 3 weeks.

Adding a eu.org domain to deSEC should be pretty straight forward, i wont get into the details for that (copy the two NS from deSEC interface into the eu.org interface when applying for the domain, wait, done).

What is tricky is enabling DNSSEC with them. This is what the interface at eu.org looks like for this:

2023-06-30_17-47937×332 37.5 KB

And there is basically no documentation anywhere.

This is how it works: From your deSEC interface, click the little “i” information button at the right side of the domain list and you will see the provided nameservers and DS keys for that domain. (see screenshot below)

You need to copy both DS lines into the field at eu.org.

BUT its not that simple.

You need to copy and submit each line seperately. Both together does not work.
And you need to change the format a little bit.

In this example, the first line

12804 13 2 7017ce99192...

must become

dummy.eu.org. 86400 IN DS 12804 13 2 7017ce99192...

Paste that into the field and submit it. Then do the same for the second DS record line.

Thats all. You dont need to worry about the DNSKEY that is also provided by deSEC.

Now you wait for propagation and once thats done, you can check for DNSSEC status with good old dig like dig +dnssec dummy.eu.org and in the header it should have the ad flag. You can also use a online tool like https://dnssec-analyzer.verisignlabs.com

Now enjoy your free domain with free DNS with enabled DNSSEC

Shoutout and thanks to Peter@deSEC who helped me figuring this out late at night!

(New users can only embed one screenshot in a post, so here is another)

This is the deSEC interface where you need to copy the two DS lines from:

2023-06-30_17-50682×787 64.4 KB

With DNSSEC working i can now finally brag about a proper setup

2023-06-30_18-10967×475 36.8 KB

This rule about only one screenshot per post is quite annoying haha but of course i understand why it exists.

Concerning the screenshot and the two DS Records.

When creating new domains you now get only one DS record. Has this been changed?

Yes, this has been changed.

The reason is that some people just picked one of the two, which does not work in all cases: You need to have at least the DS record where the third number is 2. This follows from RFC 8624 Section 3.3 which says that hash algorithm 2 is mandatory to support for validation, while algorithm 4 is only recommended.

Thus, if you pick only the other one, validation may not work; some registries don’t even accept such DS records. Further, there is no indication that algorithm 2 is worse (less secure) for this purpose than algorithm 4 is. So we decided to simplify the situation and just display the one DS record that’s needed for sure.

Stay secure,
Peter