[Opendnssec-user] disable DNSSEC

Emil Natan shlyoko at gmail.com
Sat Nov 17 10:06:16 UTC 2018


OpenDNSSEC is DNSSEC management and signing software. It's not DNS server.
Yes, you can configure the signer daemon to listen to port 53 or whatever,
but it's to act as a bump on the wire, fetch zone, sign it and notify
another DNS server which pulls and serves the zone. Not sure what's your
setup exactly, if you really are using your OpenDNSSEC machine as a public
nameserver.
Anyway, as you mentioned you first step if to remove the DS record from
your Registrar and make sure it disappears from the parent domain (if you
domain is registered under .com, make sure the DS disappears from there).
Then wait the TTL of the DS record to make sure it expires from all caches.
For .com it's 2 days. Once that happens it does not matter if you are
serving signed or unsigned zone, resolvers would not try to validate
responses for that domain.
Back to your server, if you are using OpenDNSSEC as public nameserver I
would install some proper DNS server (BIND, NSD, Knot), set it up serving
the unsigned version of your zone, it should be available under the
unsigned directory (do not remember from the top of my head which is the
default location, probably /var/opendnssec/unsigned or something like that)
and stop the OpenDNSSEC services. Then you can decide how to move it all to
DNSmadeEasy by either creating the zone using their web interface or leave
your DNS server as hidden master and publish the DNSMadeEasy as public
authoritative services for the domain.

On Sat, Nov 17, 2018 at 3:25 AM Jamie Honnaker <jamie at honnaker.com> wrote:

> Hello,
>
> I currently have Opendnssec running on Ubuntu serving one domain name.
> That domain domain is signed.  The registrar is Godaddy.  I have that
> domain name setup on DNSMadeEasy as a secondary domain that pulls from my
> Opendnssec server.
>
> I want to disable DNSSEC so I can transfer the domain name to DNSMadeEasy
> as a primary domain and retire my Opendnssec server.
>
> I know I can login to Godaddy and delete the DNSSEC key to disable DNSSEC
> at the registrar.  Do I also need to somehow convert my domain name on my
> Opendnssec server from signed to unsigned?  If so how do i do that?
>
> Thanks,
>
> --
> Jamie
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20181117/3845dc39/attachment.htm>


More information about the Opendnssec-user mailing list