<div dir="ltr">With OpenDNSSEC you have two (zone)files. One is the unsigned zonefile which has the non-DNSSEC records (SOA, NS, A, MX etc) and you manage these manually using editor. The other one is the signed zonefile which has the non-DNSSEC records coming from the unsigned zonefile and DNSSEC records (DNSKEY, RRSIGs, NSEC/NSEC3) which are created by OpenDNSSEC. When your authoritative DNS servers serves a domain, it uses a zonefile to read the records from. It could be the unsigned zonefile or the signed zonefile, but not both.<div><br></div><div>Removing the DS from the parent domain will make your domain insecure, even if you continue to serve the signed zonefile, resolvers won't be able to validate the responses for your domain. While still serving the signed zonefile, your DNS server will still respond with DNSSEC signatures (generating more traffic), they just won't be used by the resolvers. If you decide to go insecure, then better change the domain configuration on your DNS server to use the unsigned zonefile.</div><div><br></div><div>Maybe if you want to share the name of the domain in question, I can look it up and advise you better. And I'm not sure how do you want your final configuration for the domain. Do you want to stop using your hidden master/signer? Do you want GoDaddy to provide DNS service for your domain (in addition to DNSMadeEasy)?</div><div><br></div><div>Emil</div><div><br></div><div><div class="gmail_quote"><div dir="ltr">On Sat, Nov 17, 2018 at 4:20 PM Jamie Honnaker <<a href="mailto:jamie@honnaker.com">jamie@honnaker.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Emil,<div><br></div><div>Thank you so much for your reply. I understand quite a bit better how this all works now. You are correct, I have bind running on my server as the name server. Opendnssec is just the signer. Currently my server is a hidden master. DNSMadeEasy is the secondary and Godaddy points DNS for my domain to DNSMadeEasy's servers. Godaddy support is ready to convert my domain on their system from secondary to primary on their backend so I have no downtime and do not have to change my DNS servers at Godaddy. However, DNSMadeEasy only supports DNSSEC as a secondary server, not as a primary. So, they can't convert the domain from secondary to primary until I disable DNSSEC. I understand your first paragraph about deleting the DS records at Godaddy and waiting 2 days. Yes, my domain name is .com. </div><div><br></div><div>Since my server is running bind and Opendnssec, is it currently serving my domain name in both signed and unsigned mode to DNSMadeeasy? If I just delete the DS records from Godaddy for my domain name and wait 2 days, that is all I have to do to make it unsigned?</div><div><br></div><div>Thanks,</div><div><br></div><div><div><div dir="ltr" class="m_-1894129679515360123gmail_signature" data-smartmail="gmail_signature">-- <br>Jamie<br></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, Nov 17, 2018 at 2:06 AM Emil Natan <<a href="mailto:shlyoko@gmail.com" target="_blank">shlyoko@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">OpenDNSSEC is DNSSEC management and signing software. It's not DNS server. Yes, you can configure the signer daemon to listen to port 53 or whatever, but it's to act as a bump on the wire, fetch zone, sign it and notify another DNS server which pulls and serves the zone. Not sure what's your setup exactly, if you really are using your OpenDNSSEC machine as a public nameserver.<div>Anyway, as you mentioned you first step if to remove the DS record from your Registrar and make sure it disappears from the parent domain (if you domain is registered under .com, make sure the DS disappears from there). Then wait the TTL of the DS record to make sure it expires from all caches. For .com it's 2 days. Once that happens it does not matter if you are serving signed or unsigned zone, resolvers would not try to validate responses for that domain.</div><div>Back to your server, if you are using OpenDNSSEC as public nameserver I would install some proper DNS server (BIND, NSD, Knot), set it up serving the unsigned version of your zone, it should be available under the unsigned directory (do not remember from the top of my head which is the default location, probably /var/opendnssec/unsigned or something like that) and stop the OpenDNSSEC services. Then you can decide how to move it all to DNSmadeEasy by either creating the zone using their web interface or leave your DNS server as hidden master and publish the DNSMadeEasy as public authoritative services for the domain.</div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, Nov 17, 2018 at 3:25 AM Jamie Honnaker <<a href="mailto:jamie@honnaker.com" target="_blank">jamie@honnaker.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I currently have Opendnssec running on Ubuntu serving one domain name. That domain domain is signed. The registrar is Godaddy. I have that domain name setup on DNSMadeEasy as a secondary domain that pulls from my Opendnssec server.</div><div><br></div><div>I want to disable DNSSEC so I can transfer the domain name to DNSMadeEasy as a primary domain and retire my Opendnssec server.</div><div><br></div><div>I know I can login to Godaddy and delete the DNSSEC key to disable DNSSEC at the registrar. Do I also need to somehow convert my domain name on my Opendnssec server from signed to unsigned? If so how do i do that? </div><div><br></div><div>Thanks,</div><div><br clear="all"><div><div dir="ltr" class="m_-1894129679515360123m_6758625900952376831m_-1963505044290634571gmail_signature" data-smartmail="gmail_signature">-- <br>Jamie <br></div></div></div></div>
_______________________________________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div></div></div>