Domain no longer fully secure after move
Sandro
lists at penguinpee.nl
Fri Dec 16 08:25:25 UTC 2022
On 14-12-2022 19:13, Sandro wrote:
> I recently (last weekend) moved the domain to a new registrar. The keys
> are now managed by the registrar directly. At least I don't see an
> option providing my own or additional keys in their web interface.
>
> Moreover, I'm no longer running my own DNS server. 🙁
> Previously, I could set my own BIND server as a primary server for my
> domain and have the registrar use AXFR to update the secondaries.
>
> The DNSViz analysis for the current situation:
> https://dnsviz.net/d/penguinpee.nl/Y5oJSw/dnssec/
>
> And from before the move:
> https://dnsviz.net/d/penguinpee.nl/Yq3P8w/dnssec/
>
> Verisign has one single complaint: No DS records found for penguinpee.nl
> in the nl zone.
Answering my own mail, by way of slapping my palm on my forehead.
The missing DS record in the .nl domain is all that's wrong. That breaks
the chain of validation, therefore showing all penguinpee.nl entries as
insecure.
I got confused earlier, since the RRs in penguinpee.nl are actually
signed. But it's the validation that breaks due to the missing DS
record. End of year fatigue...
-- Sandro
More information about the bind-users
mailing list