[dns-operations] Request for Help: Who is looking after .org DNSsec?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Feb 6 20:29:01 UTC 2020


On Thu, Feb 06, 2020 at 05:51:51PM +0000, Matthew Richardson wrote:

> Looking at the whois for that domain, it is showing:-
> 
> >Updated Date: 2020-02-02T14:44:44Z
> 
> which suggests that something was changed 4 days ago...

But not the DS RR, it has been unchanged since 2019-01-08.

      tag  | alg | htyp |                                hval                                |   active   |  inactive
    -------+-----+------+--------------------------------------------------------------------+------------+------------
     50497 |   8 |    2 | \x13a7036cca235e203ae9b8693bd4c2b330f9d71357aee90fa2f4a7b1c90fbcb1 | 2017-10-20 | 2018-03-09
     47249 |   8 |    2 | \xef479fe25c2838d444d713cb001de7a980a9406e15d8ab462aa65f943796f5e6 | 2018-02-24 | 2019-01-08
     27685 |   8 |    2 | \x6018a56fb4e7aa51d2e93ed21f3e9a0591b08e4c9bc9a431c2f13d01a51aa9ec | 2019-01-08 |

The OP has a flawed key rollover process, the old KSK should not be
deactivated until some time after the DS record has been published.

If the old KSK is still available, it would be prudent to reactivate it.
The KSK history is:

 alg | flags |   active   |  inactive  |                                     key
 ----+-------+------------+------------+-----------------------------------------------------------------------------
   8 |   257 | 2017-10-20 | 2019-01-13 | AwEAAcTTVPpPK+DKxF953ljMuPuQbQEyFyt6YS2EcQtLo8x99KAuyn6+bzD0rQaehg1A2EwCXTls
     |       |            |            | zQDjTbxBP05EDw5KReXjM//QLK2buimgQzfEy4iXm9FEwS/DW914Y1NAQcYhdG0ARO/IAWiJts5O
     |       |            |            | 3wzr4UPKNerJJK47lOqCt+/000KdURFAEBygywowfjwC2xhlCS+3tPi1vEm95VLlR9GQWUk6tWRk
     |       |            |            | ovt2d5+e+1Z1cHzYRc+GFoHX/7gtxmT5aHY6bEvoBM9HkdyiXahXgAWAk0SeXCujvlxWFlNLte1/
     |       |            |            | Py6rjaI+5AArhmGPR7pET6o369UMKlo1pr1M3t6EMXM=
   8 |   257 | 2017-10-20 | 2018-02-24 | AwEAAdVwKv4DhBftCX9FJyyydZnX2R8e6U0USwyoqijfPy1Q2F+rslVUiKad0kbdutW5CFCILAej
     |       |            |            | NGTpAFTP5OTrmzgeyT0apVzHgeCF1LSgBY3hlt0flyIVfEnsWWTHQY+Zcq0JqjZ1B8K0JXsSgYJ6
     |       |            |            | Unvs/nsa+0RY6BlgnfhmjU11yGDRHB3xMsy7whzngVWm/6Gbn3eRNCjqExAtb2z94pNRVRv0uVrg
     |       |            |            | rRmT0ZR1u+8nvXbv0wRPz0t8VZvs/A7cf9QYvw1L8DHaY6A+puWxgQ2NRU7/+i6iiQjztFSKrgTB
     |       |            |            | pIVuS6TXLSF7GjSqHzEXf/QU2dEHUHfms8xzguU+NTs=
   8 |   257 | 2018-12-27 |            | AwEAAb59Qfjs9uSrfSSD9yh4DlNI6TjASbxQ2DVFD7ueIi0Cg3tj1/RzMkDrH0/l8pZ6xARzdlrk
     |       |            |            | 0gZfF4H14h14BjQZX6ra+HPIrTX4VXp6YJ4PNXhZ9Au9A0/AUS3rv+V/LKFKw5NlzCoADHerE2lB
     |       |            |            | ztvY7bNaG1GxhBdkpEgFAmh6J7kq7iFUgBhgnzJ8Ad6SQHFaTfvLooTRV4h7lUZS3aznPcE7Q4V3
     |       |            |            | JGTbordFoI91X6OgDkWSDYgm0P6WQKlNjANvejg7usH3s7oTvHMmGmUS+7bZwTlKDlfu5RgFlzJa
     |       |            |            | JTBNZaYFUOWifgvLE5XoI8WBrVzgKML7FfF51JJatx0=
   8 |   257 | 2020-01-09 |            | AwEAAZ7Jm0HiKiQAqLLl+t89nHwWhwCFbHT+hzaJxtZwK5cjuqnaU0D5rHnuZ5lMRqQDuPGexQxO
     |       |            |            | hxQhAdl/AREYgATCT2b2QtgUzVyCN/wC4epQ2B6duc2ypsEHlU4SvVf7w9SyX1Sed3XE2HMa0k60
     |       |            |            | Kr9g+30F5ij9kiQH0kDMkYJ6I93kbPu4Ma1cH10r9ffKh6bC1clCsussYLO1z+wBXmUeVnUK2qeR
     |       |            |            | w1y80cPCRdm4gk5SRBUV3irVruIh//ELGLtSiCMJLU1HetqVSdN+6RYzNN1UMBsLOTUG2Y98Tv5U
     |       |            |            | jjhtM0WwKePBNueKqxcuoWVYUCWBGCHKVjUkiVyLWu8=

While zone apex has only the below, whose key id does not match the DS
RRset.

        kasetsart.org.          DNSKEY  257 3 8 (
                                AwEAAZ7Jm0HiKiQAqLLl+t89nHwWhwCFbHT+hzaJxtZw
                                K5cjuqnaU0D5rHnuZ5lMRqQDuPGexQxOhxQhAdl/AREY
                                gATCT2b2QtgUzVyCN/wC4epQ2B6duc2ypsEHlU4SvVf7
                                w9SyX1Sed3XE2HMa0k60Kr9g+30F5ij9kiQH0kDMkYJ6
                                I93kbPu4Ma1cH10r9ffKh6bC1clCsussYLO1z+wBXmUe
                                VnUK2qeRw1y80cPCRdm4gk5SRBUV3irVruIh//ELGLtS
                                iCMJLU1HetqVSdN+6RYzNN1UMBsLOTUG2Y98Tv5Ujjht
                                M0WwKePBNueKqxcuoWVYUCWBGCHKVjUkiVyLWu8=
                                ) ; KSK; alg = RSASHA256 ; key id = 54142

The previous (2018-12-27) key (below) is the one that does, and it needs to be
re-activated (should not have been deactivated in the first place).

    kasetsart.org. 300 IN DNSKEY  257 3 8 (
        AwEAAb59Qfjs9uSrfSSD9yh4DlNI6TjASbxQ2DVFD7ueIi0Cg3tj1/RzMkDrH0/l8pZ6xARzdlrk
        0gZfF4H14h14BjQZX6ra+HPIrTX4VXp6YJ4PNXhZ9Au9A0/AUS3rv+V/LKFKw5NlzCoADHerE2lB
        ztvY7bNaG1GxhBdkpEgFAmh6J7kq7iFUgBhgnzJ8Ad6SQHFaTfvLooTRV4h7lUZS3aznPcE7Q4V3
        JGTbordFoI91X6OgDkWSDYgm0P6WQKlNjANvejg7usH3s7oTvHMmGmUS+7bZwTlKDlfu5RgFlzJa
        JTBNZaYFUOWifgvLE5XoI8WBrVzgKML7FfF51JJatx0=
        )

-- 
    Viktor.


More information about the dns-operations mailing list