[Opendnssec-user] disable DNSSEC

Jamie Honnaker jamie at honnaker.com
Sat Nov 17 14:20:20 UTC 2018 

Hi Emil,

Thank you so much for your reply.  I understand quite a bit better how this
all works now.  You are correct, I have bind running on my server as the
name server.  Opendnssec is just the signer.  Currently my server is a
hidden master.  DNSMadeEasy is the secondary and Godaddy points DNS for my
domain to DNSMadeEasy's servers.  Godaddy support is ready to convert my
domain on their system from secondary to primary on their backend so I have
no downtime and do not have to change my DNS servers at Godaddy.  However,
DNSMadeEasy only supports DNSSEC as a secondary server, not as a primary.
So, they can't convert the domain from secondary to primary until I disable
DNSSEC.  I understand your first paragraph about deleting the DS records at
Godaddy and waiting 2 days.  Yes, my domain name is .com.

Since my server is running bind and Opendnssec, is it currently serving my
domain name in both signed and unsigned mode to DNSMadeeasy?  If I just
delete the DS records from Godaddy for my domain name and wait 2 days, that
is all I have to do to make it unsigned?

Thanks,

-- 
Jamie


On Sat, Nov 17, 2018 at 2:06 AM Emil Natan <shlyoko at gmail.com> wrote:

> OpenDNSSEC is DNSSEC management and signing software. It's not DNS server.
> Yes, you can configure the signer daemon to listen to port 53 or whatever,
> but it's to act as a bump on the wire, fetch zone, sign it and notify
> another DNS server which pulls and serves the zone. Not sure what's your
> setup exactly, if you really are using your OpenDNSSEC machine as a public
> nameserver.
> Anyway, as you mentioned you first step if to remove the DS record from
> your Registrar and make sure it disappears from the parent domain (if you
> domain is registered under .com, make sure the DS disappears from there).
> Then wait the TTL of the DS record to make sure it expires from all caches.
> For .com it's 2 days. Once that happens it does not matter if you are
> serving signed or unsigned zone, resolvers would not try to validate
> responses for that domain.
> Back to your server, if you are using OpenDNSSEC as public nameserver I
> would install some proper DNS server (BIND, NSD, Knot), set it up serving
> the unsigned version of your zone, it should be available under the
> unsigned directory (do not remember from the top of my head which is the
> default location, probably /var/opendnssec/unsigned or something like that)
> and stop the OpenDNSSEC services. Then you can decide how to move it all to
> DNSmadeEasy by either creating the zone using their web interface or leave
> your DNS server as hidden master and publish the DNSMadeEasy as public
> authoritative services for the domain.
>
> On Sat, Nov 17, 2018 at 3:25 AM Jamie Honnaker <jamie at honnaker.com> wrote:
>
>> Hello,
>>
>> I currently have Opendnssec running on Ubuntu serving one domain name.
>> That domain domain is signed.  The registrar is Godaddy.  I have that
>> domain name setup on DNSMadeEasy as a secondary domain that pulls from my
>> Opendnssec server.
>>
>> I want to disable DNSSEC so I can transfer the domain name to DNSMadeEasy
>> as a primary domain and retire my Opendnssec server.
>>
>> I know I can login to Godaddy and delete the DNSSEC key to disable DNSSEC
>> at the registrar.  Do I also need to somehow convert my domain name on my
>> Opendnssec server from signed to unsigned?  If so how do i do that?
>>
>> Thanks,
>>
>> --
>> Jamie
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20181117/9b80540b/attachment.htm>

More information about the Opendnssec-user mailing list