How to remove DNSSEC support from a domain?

debian bind dnssec
8,086

No, it is not sufficient to just remove the configuration locally on an authoritative name server.

DNSSEC is a hierarchical system, chain of trust agains DNS cache poisoning.

DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.

Example of a Chain of Trust:

  1. The zone itself is signed with the private key on your primary authoritative name server, e.g. ns1.example.com. has the private key for signing example.com. A with example.com. RRSIG A.

  2. The public key of example.com. has been sent to and confirmed by the authority for com., which then has it in example.com. DS hash and corresponding example.com. RRSID DS, signed with private key for .com.

  3. The public key of com. has been sent to and confirmed by the root authority, which then has it in com. DS hash and corresponding com. RRSID DS, signed with private root key i.e. key for ., aka Root Zone Trust Anchor:

    The Root Key Signing Key acts as the trust anchor for DNSSEC for the

Domain Name System. This trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data.

You can get a nice visualization of any domain with DNSViz. It also detects configuration errors.

Therefore, the authority responsible of the TLD must be contacted, probably through the registrar, and informed that DNSSEC should be disabled for the domain. They will disable DNSSEC by removing the chaining DS record from their nameservers. Otherwise DNSSEC will still be enabled, causing your authoritative name server to be seen as a rogue name server.

Share:
8,086

Related videos on Youtube

qbi
Author by

qbi

Updated on September 18, 2022

Comments

  • qbi
    qbi almost 2 years

    A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to remove the key material in /var/lib/bind/pri and to restart the server or are there steps which should be done to have it r?emoved

  • Vladimír Čunát
    Vladimír Čunát over 6 years
    Note that just removing the DS from parent zone will be enough to drop your zone to insecure status, regardless of whatever DNSSEC record you keep in it (at that moment). That's the first step to do; you want to wait at least for TTL of the DS before actually removing the DNSSEC records.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configure BIND to be a simple forwarder (no root-servers queries)
named the working directory is not writable
Using sub-subdomains with bind
BIND9 DNSSEC: should I care about occasional "insecure" log messages
configure BIND DNS on debian
Setting up a DNS name server for a mass virtual host with Bind9
Why BIND does not use the forwarders any more?
Can't start Bind open: /etc/named.conf: permission denied
BIND server has tons of "no valid RRSIG" errors
bind9 configure forward zone for local domain without DNSSEC for this zone only