[Opendnssec-user] disable DNSSEC

Emil Natan shlyoko at gmail.com
Sat Nov 17 17:40:45 UTC 2018 

With OpenDNSSEC you have two (zone)files. One is the unsigned zonefile
which has the non-DNSSEC records (SOA, NS, A, MX etc) and you manage these
manually using editor. The other one is the signed zonefile which has the
non-DNSSEC records coming from the unsigned zonefile and DNSSEC records
(DNSKEY, RRSIGs, NSEC/NSEC3) which are created by OpenDNSSEC. When your
authoritative DNS servers serves a domain, it uses a zonefile to read the
records from. It could be the unsigned zonefile or the signed zonefile, but
not both.

Removing the DS from the parent domain will make your domain insecure, even
if you continue to serve the signed zonefile, resolvers won't be able to
validate the responses for your domain. While still serving the signed
zonefile, your DNS server will still respond with DNSSEC signatures
(generating more traffic), they just won't be used by the resolvers. If you
decide to go insecure, then better change the domain configuration on your
DNS server to use the unsigned zonefile.

Maybe if you want to share the name of the domain in question, I can look
it up and advise you better. And I'm not sure how do you want your final
configuration for the domain. Do you want to stop using your hidden
master/signer? Do you want GoDaddy to provide DNS service for your domain
(in addition to DNSMadeEasy)?

Emil

On Sat, Nov 17, 2018 at 4:20 PM Jamie Honnaker <jamie at honnaker.com> wrote:

> Hi Emil,
>
> Thank you so much for your reply.  I understand quite a bit better how
> this all works now.  You are correct, I have bind running on my server as
> the name server.  Opendnssec is just the signer.  Currently my server is a
> hidden master.  DNSMadeEasy is the secondary and Godaddy points DNS for my
> domain to DNSMadeEasy's servers.  Godaddy support is ready to convert my
> domain on their system from secondary to primary on their backend so I have
> no downtime and do not have to change my DNS servers at Godaddy.  However,
> DNSMadeEasy only supports DNSSEC as a secondary server, not as a primary.
> So, they can't convert the domain from secondary to primary until I disable
> DNSSEC.  I understand your first paragraph about deleting the DS records at
> Godaddy and waiting 2 days.  Yes, my domain name is .com.
>
> Since my server is running bind and Opendnssec, is it currently serving my
> domain name in both signed and unsigned mode to DNSMadeeasy?  If I just
> delete the DS records from Godaddy for my domain name and wait 2 days, that
> is all I have to do to make it unsigned?
>
> Thanks,
>
> --
> Jamie
>
>
> On Sat, Nov 17, 2018 at 2:06 AM Emil Natan <shlyoko at gmail.com> wrote:
>
>> OpenDNSSEC is DNSSEC management and signing software. It's not DNS
>> server. Yes, you can configure the signer daemon to listen to port 53 or
>> whatever, but it's to act as a bump on the wire, fetch zone, sign it and
>> notify another DNS server which pulls and serves the zone. Not sure what's
>> your setup exactly, if you really are using your OpenDNSSEC machine as a
>> public nameserver.
>> Anyway, as you mentioned you first step if to remove the DS record from
>> your Registrar and make sure it disappears from the parent domain (if you
>> domain is registered under .com, make sure the DS disappears from there).
>> Then wait the TTL of the DS record to make sure it expires from all caches.
>> For .com it's 2 days. Once that happens it does not matter if you are
>> serving signed or unsigned zone, resolvers would not try to validate
>> responses for that domain.
>> Back to your server, if you are using OpenDNSSEC as public nameserver I
>> would install some proper DNS server (BIND, NSD, Knot), set it up serving
>> the unsigned version of your zone, it should be available under the
>> unsigned directory (do not remember from the top of my head which is the
>> default location, probably /var/opendnssec/unsigned or something like that)
>> and stop the OpenDNSSEC services. Then you can decide how to move it all to
>> DNSmadeEasy by either creating the zone using their web interface or leave
>> your DNS server as hidden master and publish the DNSMadeEasy as public
>> authoritative services for the domain.
>>
>> On Sat, Nov 17, 2018 at 3:25 AM Jamie Honnaker <jamie at honnaker.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I currently have Opendnssec running on Ubuntu serving one domain name.
>>> That domain domain is signed.  The registrar is Godaddy.  I have that
>>> domain name setup on DNSMadeEasy as a secondary domain that pulls from my
>>> Opendnssec server.
>>>
>>> I want to disable DNSSEC so I can transfer the domain name to
>>> DNSMadeEasy as a primary domain and retire my Opendnssec server.
>>>
>>> I know I can login to Godaddy and delete the DNSSEC key to disable
>>> DNSSEC at the registrar.  Do I also need to somehow convert my domain name
>>> on my Opendnssec server from signed to unsigned?  If so how do i do that?
>>>
>>> Thanks,
>>>
>>> --
>>> Jamie
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20181117/cfa620f1/attachment.htm>

More information about the Opendnssec-user mailing list