DNSSEC warning when generating keys

Pzz · Sep 16, 2023

Why is creating a DNSSEC key giving this warning?

This action could cause domain resolution problems and cannot be undone. Are you sure you want to proceed?

It cannot be undone? Is something special happening that can't be undone? (https://docs.directadmin.com/other-...#how-to-enable-dnssec-on-a-directadmin-server).

I doesn't give me much confidence to continue.....

Richard G · Sep 16, 2023

Pzz said:
Why is creating a DNSSEC key giving this warning?

Probably the warning is issued because the key is created/ordered at user level. And the user can not undo it anymore, because files need to be deleted in the named directory and named.conf needs to be adjusted. Only a root admin can do that. Not a user, not a reseller.
So that would justify the warning.

Also often users do not register their own domains but the hoster does, so if they enable DNSSEC and it's not (correctly) present at the registrar it might run into issues too.

Don't worry about it, I've got a couple of DNSSEC domains myself and it's working fine and I also have removed one before.

rowebca · Sep 16, 2023

Pzz said:
This action could cause domain resolution problems and cannot be undone. Are you sure you want to proceed?

This is another way to say "It is not our problem (DA) if is not working for you."

Regards

Pzz · Sep 17, 2023

So:
1. The ADMIN sets dnssec to value=1 (start with the easy step)
2. A USER creates a key for a domain.tld
3. A USER applies the setting to thedomainsettings at the registar

If a user does step 2, without step 3, would that cause a problem? Or will that still respond as a "no DNSSEC" , and everything works as before?

Richard G · Sep 17, 2023

Pzz said:
3. A USER applies the setting to thedomainsettings at the registar

A lot of times hosters will register the domains in there name and have to take step 3. But yes.
And even if a USER will do this at the registrar, they do have the risk they fill in the wrong key.
Luckily my registrar won't accept wrong keys.

Pzz said:
If a user does step 2, without step 3, would that cause a problem?

Very good question... Maybe it could cause a local problem but I'm not sure. But this question is just a very good reason to issue such warning to the user when he creates a DNSSEC key.

rowebca · Sep 17, 2023

Pzz said:
So:
1. The ADMIN sets dnssec to value=1 (start with the easy step)
2. A USER creates a key for a domain.tld
3. A USER applies the setting to thedomainsettings at the registar

If a user does step 2, without step 3, would that cause a problem? Or will that still respond as a "no DNSSEC" , and everything works as before?

You're correct, it will not affect until you are adding the key to registrar of your domain.

Regards,

Pzz · Sep 22, 2023

Thanks,

I generated something like

Code:

111 2 33 AaaaaAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==

But, what is actual my Key tag? My provider TransIp.nl keeps telling me my KeyTag is incorrect.....

I guess the Aaaaa...... is my public key?

And there's also a question about the used algoritme. IS this RSA-SHA1?

Pzz · Sep 22, 2023

I guess my algoritme at my ISP is wrong. The number that DA generates is a bit hidden at my ISP dashboard where I have to make the settings. I'll give it a new try

Richard G · Sep 22, 2023

Oh wait, there are several key files you will see in your panel, only 1 is the correct one.
You will have a zone-signing key.
Then a DNSkey 256 (might be something like DNSkey 256 3 8

Then there will be a key-signing key. This is the one you should use
This will be like DNSkey 257 3 8 if I'm correct.

You need that second key with Transip, so the 257 3 8 or whatever the DNS key under your key-signing key is.

The algo at Transip is not wrong, you have to use the correct key. So in this example with 257 3 8, then at Transip try and use:
keytag 257
then the value which matches the 8 so that would be RSA-SHA256(8), for flags use KSK since the Key Signing Key (257) is used.
And enter the key as last.

With another registrar this is way easier to enter, but I believe this is the correct way to do it with Transip. Can't check it anymore for you as I just recently moved most domains out of there, getting too expensive.

Pzz · Sep 23, 2023

Ok, TransIp accepts my input. My algorithm is "13" and I found that one.
I created the KSK record a my ISP calls it.

I now see "add your zone" in my DA screens. Should I do that? I can't find any info on that the DA website....

Richard G · Sep 23, 2023

Pzz said:
I now see "add your zone" in my DA screens. Should I do that?

??? I don't see that in either Enhanced or Evo skin.
Can you post a screenshot so I can see what that is and where?

You can try some fine tool like PicPick, can alse be used free, easy to make region screenshots and also hide data (gummetje) you don't want to be seen public.

Pzz · Sep 27, 2023

Hi I fixed it!

And I made a typo in the post Richard G: I was about " sign your zone" . I got nice warnings when I added the key to my ISP but hadn't signed my zone yet.

Enabled DNSSEC in the settings, generate keys, choose " Sign your zone" and add them to the ISP and wait..... And that's it.

It seems so simple when I read this....

Thanks!

Richard G · Sep 27, 2023

Pzz said:
but hadn't signed my zone yet.

Ooh yes, that is required. Glad you figured it out.

Yes it's simple once you've done it and seen it. And indeed don't make typo's.

Glad to see you figured it out.

DNSSEC warning when generating keys

Pzz

Verified User

Richard G

Verified User

rowebca

Verified User

Pzz

Verified User

Richard G

Verified User

rowebca

Verified User

Pzz

Verified User

Pzz

Verified User

Richard G

Verified User

Pzz

Verified User

Richard G

Verified User

Pzz

Verified User

Richard G

Verified User