2

The domain dwc-amsterdam.com was acquired on hosting company A (hostA) which supports DNSSEC.

It was then transferred to hosting company B (hostB) which doesnot offer DNSSEC.

After detecting certain issues with the domain the culprit seems to be the DS record that is still active for the domain:

dwc-amsterdam.com.      86400   IN      DS      17739 7 1 05D720F7D200908C61631CD257A60F16ACE9D13D

HostB says that the DS record was never entered in their zone and so cannot help me and directs me to HostA.

HostA says that 2 weeks after the transfer all records were deleted. Technical support confirms this for the domain and I am directed back to the current host HostB.

How can I break the impasse?

Is it possible to check directly where the DS record originates from?

paul
  • 35
  • 1
  • 7

2 Answers2

2

A DS (Delegation Signer) key is added to the parent zone (com., in your case) via your registrar.

This continues the chain of trust between .com > dwc-amsterdam.com. The DS records at .com (parent) are used to prove that the records returned by your nameserver (child) are what they claim to be. To be clear, HostB's nameserver (child) would not host this record nor would the control panel add it, unless they were also a registrar.

If the new hosting company, HostB, was responsible for changing the nameserver glue listed at the registrar to the new servers, then they would be responsible for cleaning up the old records at said-registrar.

To actually see the record, we first get a list of nameservers from com.:

$ dig com. IN NS

...pick a nameserver from the list, then query for your DS:

$ dig dwc-amsterdam.com IN DS @d.gtld-servers.net

...the important bit to note in the reply, is that the aa flag is set - this means it is an Authoritative Answer; simply, the nameserver responding "owns" that record.

pete
  • 693
  • 1
  • 7
  • 15
  • Thank you for your insightful post. It really helped me to focus on some key elements. – paul Nov 05 '15 at 12:43
  • So yes HostB is responsible for cleaning up the record. But it seems the registrar should have cleaned it up already when the transfer occured, so that was the mistake. In the meantime HostB informed me that support of the registrar communicated that the DS record would be cleared. I am fairly certain that will resolve the issues... – paul Nov 05 '15 at 12:50
  • @paul The registrar just maintains the data, they arent responsible for keeping the data valid. HostB should have checked. If they found and removed the record, it should be fine after it propagates. – pete Nov 05 '15 at 13:03
  • Ok yes makes sense would be an impossible task otherwise, thanks again. For future reference, so hostB should have checked, but they clearly lack DNSSEC knowledge and didnot not even notice the DS for awhile, probably only checking through their servers. HostA stipulates in their faq that when a DNSSEC domain is to be moved, it can be refused when the new party doesnot support DNSSEC, but this didnot happen. So in a perfect world should hostA have been the one that had either cleared the DS record before transferring the domain, or notified the client and refused the transfer? – paul Nov 06 '15 at 09:03
  • @paul, Without seeing that FAQ, it sounds like they are referring to domain transfers, as opposed to changing hosting providers. Second, my personal opinion is that HostA carries no responsibility for this - they would have no idea of your plans post-change; it would be irresponsible to remove a security feature w/o being asked to. OTOH, HostB configured your current setup, and if they were aware that previously DNSSEC was enabled, they should have known to remove the DS record; or at least googled it. – pete Nov 07 '15 at 14:25
0

But you have the DS record, you just showed in your post. All you have to do is to re-enter that record in your new domain registrar control panel.

You can find that in domain settings and the parameters you need to enter are:

 Key tag: 17739  
 Algorithm: 7 
 Digest Type: 1 
 Digest: 05D720F7D200908C61631CD257A60F16ACE9D13D

Be aware that if it doesn't work you wil probably need to sign again DS record to generate a new delegation signer.

ostendali
  • 373
  • 1
  • 4
  • But the new hosting company doesnot support DNSSEC, so I cannot enter it with them. Sorry I realize I didnot mention it in the original post, but I would at the moment prefer to just delete the current DS record, but I do not know to whom I should address this request, if not hostA/hostB, who are pointing at eachother. – paul Nov 04 '15 at 18:42
  • 1
    to your registrar, the registrar is the authority for this kind of tasks. i don't think the hosting has anything to do with this, unless the hosting and registrar are the same company.... – ostendali Nov 04 '15 at 19:26
  • Well actually I never had to deal with the registrars directly. We acquire domains through the hosting company, who are linked to a certain registrar. But all the DNS settings are managed via the hosting company's control panel. Our current hosting company (hostB) uses http://www.virtualregistrar.nl/ ... and as you can read on their website they refer to the hosting company for any questions regarding domains That is why I feel I am stuck between these two hosting providers, with nowhere to go. At the moment I would love to contact the registrar directly. – paul Nov 04 '15 at 20:25
  • 1
    Its likely your registrar was never changed over, thus the record still exists - _it is unrelated to the DNS control panel from your host; make that clear to hostB;_ the DS exists at the registrar and must be removed there. Whomever has _access_ to the domain's account at the registrar is responsible for cleaning up the old records – pete Nov 04 '15 at 23:41