1

Fedora 27, x64

I need to revoke a DNSSEC key in order to replace it and already know how to generate new keys, etc.; however I had to delete my old keys because they were causing my domains to be marked as being rogue as a result of old keys with incorrect values (there are no keys associated with the problem domains at all, now, except when checked via dnsviz.net).

I have found a way of restoring the root key - https://stackpointer.io/internet/get-dnssec-root-keys/534/, but the restored key id does not match either of those that I am having problems with (or the root key id, either), nor can I revoke it and neither does it allow me to actually re-generate the keys for inclusion in the named directory (it only tells dig where to find a trusted key for signing purposes). Can anyone help with this, please?

  • 1
    I am thoroughly confused as to what you are actually doing and why. Please 1) include the domain name, 2) try to explain what the actual problem and goal is more so than problems encountered with your attempted solution (see [XY-problem](https://en.wikipedia.org/wiki/XY_problem)). – Håkan Lindqvist Jan 22 '19 at 08:32
  • "my domains to be marked as being rogue as a result of old keys with incorrect values" agreeing with Håkan Lindqvist , I really do not think that this is really the case of what is happening to you and you may be misreading some troubleshooting tool. Go look at DNSviz first. I **guess** the case is more about the fact that the DS records at the parent zone is not set up properly hence breaking your domain. First rule of DNSSEC: if you do not truely understand how it works, stay away from it or use a DNS provider doing it on your behalf. Otherwise you have too many ways to shoot you in the foot – Patrick Mevzek Jan 22 '19 at 17:30
  • First step would probably be to remove all DNSSEC on your domain before you understand fully it and how to operate. If needed, go to your registrar and do an update to remove any DS records at parent that may exist. Then you should be back into the default "unsecure" case, that should work. You can then calmy define what you need/want to do DNSSEC-wise and then implement it properly. – Patrick Mevzek Jan 22 '19 at 17:32

1 Answers1

0

Thanks for all the help on this. - I have successfully implemented and used DNSSEC prior to posting this question, but I have hit a few problems trying to find comprehensible (and up to date) documentation on the problem I encountered, which was that of old DNSSEC keys still being in use on a domain a good two weeks after I had replaced its keys on my DNS server and the corresponding entries on the registrar side of things.

Hopefully I have now fixed the problem after removing all DNSSEC keys and entries, and it would appear that zonemaster.net is in agreement with me that there is now no DNSSEC active on the domains.

Further to this, I understand that each DNSSEC key is supposed to have a default TTL of two days before being removed, but both domains [ corequery.uk and insurgent.info ] were still showing as having active keys when checked on dnsviz.net. - That is why I was trying to 'resurrect' them, - so I could revoke the resurrected keys and finally get the new, valid, keys working.

  • "each DNSSEC key is supposed to have a default TTL of two days " No. Keys have no TTLs. DNSSEC works with RRSIG records, that is signatures. Each signature has a start and stop of validity, besides the DNS TTL default system. At that level there is nothing that says a DNSKEY record has a maximum validity. Key rotations are something under your control, outside of the DNS, and normally based on policies outlined in a DPS. It depends a lot on how you manage the keys, either inside the nameserver or outside like with OpenDNSSEC and/or some HSM. It is also rare to revoke keys. – Patrick Mevzek Jan 23 '19 at 18:45