[dns-operations] Request for Help: Who is looking after .org DNSsec?
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Feb 6 20:29:01 UTC 2020
On Thu, Feb 06, 2020 at 05:51:51PM +0000, Matthew Richardson wrote:
> Looking at the whois for that domain, it is showing:-
>
> >Updated Date: 2020-02-02T14:44:44Z
>
> which suggests that something was changed 4 days ago...
But not the DS RR, it has been unchanged since 2019-01-08.
tag | alg | htyp | hval | active | inactive
-------+-----+------+--------------------------------------------------------------------+------------+------------
50497 | 8 | 2 | \x13a7036cca235e203ae9b8693bd4c2b330f9d71357aee90fa2f4a7b1c90fbcb1 | 2017-10-20 | 2018-03-09
47249 | 8 | 2 | \xef479fe25c2838d444d713cb001de7a980a9406e15d8ab462aa65f943796f5e6 | 2018-02-24 | 2019-01-08
27685 | 8 | 2 | \x6018a56fb4e7aa51d2e93ed21f3e9a0591b08e4c9bc9a431c2f13d01a51aa9ec | 2019-01-08 |
The OP has a flawed key rollover process, the old KSK should not be
deactivated until some time after the DS record has been published.
If the old KSK is still available, it would be prudent to reactivate it.
The KSK history is:
alg | flags | active | inactive | key
----+-------+------------+------------+-----------------------------------------------------------------------------
8 | 257 | 2017-10-20 | 2019-01-13 | AwEAAcTTVPpPK+DKxF953ljMuPuQbQEyFyt6YS2EcQtLo8x99KAuyn6+bzD0rQaehg1A2EwCXTls
| | | | zQDjTbxBP05EDw5KReXjM//QLK2buimgQzfEy4iXm9FEwS/DW914Y1NAQcYhdG0ARO/IAWiJts5O
| | | | 3wzr4UPKNerJJK47lOqCt+/000KdURFAEBygywowfjwC2xhlCS+3tPi1vEm95VLlR9GQWUk6tWRk
| | | | ovt2d5+e+1Z1cHzYRc+GFoHX/7gtxmT5aHY6bEvoBM9HkdyiXahXgAWAk0SeXCujvlxWFlNLte1/
| | | | Py6rjaI+5AArhmGPR7pET6o369UMKlo1pr1M3t6EMXM=
8 | 257 | 2017-10-20 | 2018-02-24 | AwEAAdVwKv4DhBftCX9FJyyydZnX2R8e6U0USwyoqijfPy1Q2F+rslVUiKad0kbdutW5CFCILAej
| | | | NGTpAFTP5OTrmzgeyT0apVzHgeCF1LSgBY3hlt0flyIVfEnsWWTHQY+Zcq0JqjZ1B8K0JXsSgYJ6
| | | | Unvs/nsa+0RY6BlgnfhmjU11yGDRHB3xMsy7whzngVWm/6Gbn3eRNCjqExAtb2z94pNRVRv0uVrg
| | | | rRmT0ZR1u+8nvXbv0wRPz0t8VZvs/A7cf9QYvw1L8DHaY6A+puWxgQ2NRU7/+i6iiQjztFSKrgTB
| | | | pIVuS6TXLSF7GjSqHzEXf/QU2dEHUHfms8xzguU+NTs=
8 | 257 | 2018-12-27 | | AwEAAb59Qfjs9uSrfSSD9yh4DlNI6TjASbxQ2DVFD7ueIi0Cg3tj1/RzMkDrH0/l8pZ6xARzdlrk
| | | | 0gZfF4H14h14BjQZX6ra+HPIrTX4VXp6YJ4PNXhZ9Au9A0/AUS3rv+V/LKFKw5NlzCoADHerE2lB
| | | | ztvY7bNaG1GxhBdkpEgFAmh6J7kq7iFUgBhgnzJ8Ad6SQHFaTfvLooTRV4h7lUZS3aznPcE7Q4V3
| | | | JGTbordFoI91X6OgDkWSDYgm0P6WQKlNjANvejg7usH3s7oTvHMmGmUS+7bZwTlKDlfu5RgFlzJa
| | | | JTBNZaYFUOWifgvLE5XoI8WBrVzgKML7FfF51JJatx0=
8 | 257 | 2020-01-09 | | AwEAAZ7Jm0HiKiQAqLLl+t89nHwWhwCFbHT+hzaJxtZwK5cjuqnaU0D5rHnuZ5lMRqQDuPGexQxO
| | | | hxQhAdl/AREYgATCT2b2QtgUzVyCN/wC4epQ2B6duc2ypsEHlU4SvVf7w9SyX1Sed3XE2HMa0k60
| | | | Kr9g+30F5ij9kiQH0kDMkYJ6I93kbPu4Ma1cH10r9ffKh6bC1clCsussYLO1z+wBXmUeVnUK2qeR
| | | | w1y80cPCRdm4gk5SRBUV3irVruIh//ELGLtSiCMJLU1HetqVSdN+6RYzNN1UMBsLOTUG2Y98Tv5U
| | | | jjhtM0WwKePBNueKqxcuoWVYUCWBGCHKVjUkiVyLWu8=
While zone apex has only the below, whose key id does not match the DS
RRset.
kasetsart.org. DNSKEY 257 3 8 (
AwEAAZ7Jm0HiKiQAqLLl+t89nHwWhwCFbHT+hzaJxtZw
K5cjuqnaU0D5rHnuZ5lMRqQDuPGexQxOhxQhAdl/AREY
gATCT2b2QtgUzVyCN/wC4epQ2B6duc2ypsEHlU4SvVf7
w9SyX1Sed3XE2HMa0k60Kr9g+30F5ij9kiQH0kDMkYJ6
I93kbPu4Ma1cH10r9ffKh6bC1clCsussYLO1z+wBXmUe
VnUK2qeRw1y80cPCRdm4gk5SRBUV3irVruIh//ELGLtS
iCMJLU1HetqVSdN+6RYzNN1UMBsLOTUG2Y98Tv5Ujjht
M0WwKePBNueKqxcuoWVYUCWBGCHKVjUkiVyLWu8=
) ; KSK; alg = RSASHA256 ; key id = 54142
The previous (2018-12-27) key (below) is the one that does, and it needs to be
re-activated (should not have been deactivated in the first place).
kasetsart.org. 300 IN DNSKEY 257 3 8 (
AwEAAb59Qfjs9uSrfSSD9yh4DlNI6TjASbxQ2DVFD7ueIi0Cg3tj1/RzMkDrH0/l8pZ6xARzdlrk
0gZfF4H14h14BjQZX6ra+HPIrTX4VXp6YJ4PNXhZ9Au9A0/AUS3rv+V/LKFKw5NlzCoADHerE2lB
ztvY7bNaG1GxhBdkpEgFAmh6J7kq7iFUgBhgnzJ8Ad6SQHFaTfvLooTRV4h7lUZS3aznPcE7Q4V3
JGTbordFoI91X6OgDkWSDYgm0P6WQKlNjANvejg7usH3s7oTvHMmGmUS+7bZwTlKDlfu5RgFlzJa
JTBNZaYFUOWifgvLE5XoI8WBrVzgKML7FfF51JJatx0=
)
--
Viktor.
More information about the dns-operations
mailing list