Skip to main content

DNSSEEC is not working

Answered

Comments

10 comments

  • SimpleTechGuy

    Maybe dns propagation issue? Have you cleared out your dns cache on your local browser / computer / firewall / router etc?

    Have you tried testing the site with verisign labs or mxtoolbox?:

    https://dnssec-analyzer.verisignlabs.com/

    https://mxtoolbox.com/DNSKey.aspx

     

    0
  • lulzkiller

    Unfortunately not a propagation issue. I have tested with all the tools, they all fail with the dnssec. The domain dosent even resolve after i added the keys to the registrar

    0
  • SimpleTechGuy

    Sadly it's been a long time since I set this up.  I don't remember exactly what I did, but do remember it being a pain in the butt.  I think it might have had something to do with using the KSK key instead of the ZSK key. 

    0
  • SimpleTechGuy

    Sorry, meant to say Creates a CSK (Combined Signing Key), instead of ksk/zsk seperately and using RSA/SHA-256....  That combination always seems to work for me.

    0
  • SimpleTechGuy

    Then on the registrar make sure to set algorithm 13 and digest type 2.

    0
  • lulzkiller

    Its making me crazy, i spent more than 2 days on this now. I have tested god know how many things.


    If i run this command from the server

    [root@web1 ~]# dig +dnssec @localhost DOMAIN.COM
     
    ; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> +dnssec @localhost DOMAIN.COM
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39137
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
     
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;DOMAIN.COM. IN A
     
    ;; ANSWER SECTION:
    DOMAIN.COM. 3600 IN A SERVER IP
    DOMAIN.COM. 3600 IN RRSIG A 13 2 3600 20241017000000 20240926000000 55287 DOMAIN.COM. vqwMreiSyBbInIfVYshhKASwAZWAErm7LueQME8rsUd5ElZuRR0UbMxr hkE3lDBhdc+6O5AVZFJIMutkyBsLHA==
     
    ;; Query time: 0 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: tir okt 08 00:28:42 CEST 2024
    ;; MSG SIZE  rcvd: 159
     
    [rootweb120

    All is looking all fine. But somehow the published records at the registrar never works. I think i have been through all of the keys thats possible to generate. Heck i even checked the firewall to see if i somehow managed to block anything. But nope, it makes no sense at all 


    Im using vanity servers at cloudns. All domains that are on the cpanel server, is created there as "secondary" with the cpanel IP as main.

    I tried with my test domain just to make it primary in cloudns, and using cloudns dnssec. It started working after few minutes and the key was published correctly. 

    So there is something really weird going on
    0
  • lulzkiller

    Sorry you replied just before i replied :)

    I already tried with the csk one, and, and algo set to 13 and digest type for 2, and with the appropiate keytag and digest. But its the same unfortunately. I went through all of the possible methods to create a key and none of them works :(

    0
  • SimpleTechGuy

    yeah, that is strange.  Sorry I can't be of any more help.  Never used ClouDNS.

    0
  • lulzkiller

    yooo i finally got it working.. 

    I had to run

    /usr/local/cpanel/bin/whmapi1 unset_nsec3_for_domains domain=domain.tld

    I found it hiding at the bottom of this guide here

    https://support.cpanel.net/hc/en-us/articles/4404190000663-Enabling-AXFR-for-cPanel-controlled-Domains

    0
  • SimpleTechGuy

    nice, good find!  I never would have imagined that could have caused this problem! 

    0

Please sign in to leave a comment.