1

A little while ago, I deployed DNSSEC because in doing so I reduced the number of security configuration checks I needed to implement on my local domain's DNS. These are Windows Server 2012R2 machines

This seems to have worked fine, except it causes an off-site backup arrangement we have to break. Our DNS had been set up to resolve a single host name to a load-balancing device we don't control, which then handles incoming data - basically just a drive space we toss our DPM backup files onto. This was a Delegation record inside of our Domain's zone, with the host name as the name of the record and containing a single NS entry for the load balancer.

It took a bit of time to figure out that DNSEC was the cause, but in working with the other network team, it seems confirmed and they have no plans to reconfigure anything to make it work on their end.

It would seem that I did not fully understand the implications of DNSSEC going into this. Is there a way to simply un-do DNSSEC, however? I can certainly "Unsign" the zone, as seen in the DNSSEC menu on the DNS servers. But there's not really any guidance on this online that appears to be well written or recent. Is there more to it than simply Unsigning the zone?

The ITea Guy
  • 321
  • 1
  • 6
  • 16

1 Answers1

4

Is there more to it than simply Unsigning the zone?

Oh yes, and if you fail to do it your domain will disappear (from any validating resolver).

The first thing to do is to remove the DS records at the parent, which you will need to do through your registrar.

Then you need to "wait". Instead of giving a specific value (as it is done by people thinking the DNS has propagation, which it doesn't), as it depends on the parent and other factors, you shouldn't hurry. Do it the week after. But better, monitor for it. See when the parent nameserver stops to publish the DS records, take into account their previous TTL values, as well as the TTL values on your own DNSKEY and RRSIG records.

After all TTLs expired, normally no one will try anymore to validate your zone.

Only at that moment it is safe for you to stop unsigning it, which means stop publishing DNSKEY, RRSIG and NSEC/NSEC3 records.

PS: not something you will want to read, but removing DNSSEC, especially because of some other broken system, is really not a good idea. You should instead invest time to fix that other system. Or design things differently so that this system does not need to rely on your DNSSEC enabled zone.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • Unfortunately that "other system" isn't something I have any control over - it's our network provider's realm, and they've already said they're not changing things to allow our DNSSEC enabled configuration to work with it. – The ITea Guy Nov 20 '20 at 12:13
  • Also, we don't really have a registrar - this is an internal DNS, as none of our assets are resolved by people who aren't connected to the same switch. Closest we have is a remote website solution managed by the same provider - normally outsiders can't get to our internal site by design, but with their hosting solution they have outsiders access their system, which tunnels them to ours. – The ITea Guy Nov 20 '20 at 12:15
  • 1
    You still need to find the parent of your zone and make sure it removes `DS` records in its zone for your zone, and then wait, and then unsign on your side. – Patrick Mevzek Nov 20 '20 at 15:06
  • Patrick; I see in my locally hosted DNS server that there are DS records. As far as I'm aware we really are the Parent zone - there's another DNS server our workstations resolve to but as far as I am aware they only take requests and forward them on to us, as we resolve all host names on our Domain. These would be the ones to delete, then wait on before unsigning? – The ITea Guy Nov 24 '20 at 14:52
  • 1
    I don't know since you didn't gave enough details. If `example.com` is DNSSEC enabled then its parent, `com` has DS records. Those are the ones that needs to be removed before doing anything else. Use dnsviz or delve to track down your delegations and see where are your DS records. – Patrick Mevzek Nov 24 '20 at 15:15
  • I've given DNSVIZ a shot. When I key in my zone, it seems to show a chain, though at the very end of it it says "insecure" for my specific domain.Says Type A,NXDOMAIN,Servers with IPs I don't recognize,Query options UDP_-_EDNS0_4096_D_K,and STATUS:INSECURE.Also has a similar box for the apparent level above me (ie network.unit.com where I am domain.network.unit.com).This is something I inherited so I am unsure we actually have a proper interaction with anyone outside our DNS, as outsiders never resolve to us. – The ITea Guy Nov 24 '20 at 17:08
  • According to my network higher-ups, I'm good to go - I unsigned my zones, cleared the DS records, and moved on. Since this was an all internal DNS zone, DNSSEC never truly mattered to anyone else outside of it. – The ITea Guy Nov 25 '20 at 19:14