1

We transferred a .se domain to GoDaddy from a small Swedish registrar. It turns out the original domain has DNSSEC setup and the DS records were never removed from the parent zone when it was transferred (and no DNSKEY records were setup on GoDaddy). With GoDaddy premium DNS it's listed as having DNSSEC disabled which makes sense but also means it doesn't acknowledge there are any active DS records.

As a result i want to remove the DS records from the parent zone to prevent DNSSEC authentication failures which seem to be causing some problems.

As ever GoDaddy are extremely unhelpful (we spent nearly a year trying to transfer the domain originally and having transferred it they keep saying the problem is that ISPs are blocking the website IP which is why some people can't access it, i think this is untrue and they're blocking it due to the DNSSEC issues).

Could anyone explain to me HOW i can get the DS records removed from the parent zone when the registrar records say it isn't setup?

Is there anyway i can have these removed myself or else should GoDaddy definitely be able to do it themselves?

Thanks everyone,

Dave

deshg
  • 113
  • 5

2 Answers2

2

Your first task is verifying that a DS record exists. There is an excellent article here - DNSSEC verification with dig if you have access to a Linux box run these commands - 

 dig . DNSKEY | grep -Ev '^($|;)' > root.keys
 dig +sigchase +topdown +trusted-key=./root.keys www.eurid.eu. A

swapping out eurid.eu for your domain name. This will run through the signatures for the domain and parent domain. Towards the end there is 'Verifying DS Valids a DNSKEY'

Obviously you're getting to get validation errors, but that is what you're looking for.

An alternative, is finding an online DNSSEC checker (google found this for me)

Once you've got some evidence of what the DNS Records actually have in them. Talk to Godaddy and your previous registrar. You've perhaps found this already, but godaddy do have a page about modifying DNSSEC records

As ever all you can do is be prepared, have evidence to refute what they're talking about, and tell them what needs to be done.

On the upside, at the end of this, you'll very likely be a DNSSEC expert ;)

Michael B
  • 738
  • 3
  • 10
  • Thanks for your comment, i know there are invalid DS records (hence the post), these appear via various DNSSEC checkers. Unfortunately the GoDaddy docs are of no help as they assume it's setup correctly (within GoDaddy it says DNSSEC is not enabled so i can't edit it). I'm waiting on GoDaddy but what i really wanted to establish is how do you get the DS records removed from the parent zone and are GoDaddy definitely able to do it themselves (as based on previous conversations they will say they don't have access). Do you know for certain if they'd be able to remove it or if not who can?Thanks! – deshg Jan 22 '16 at 12:01
  • 1
    According to the last link, they do have authority to modify .se DS records, You just need to make them understand that they are incorrect. I would write a technical email, tracing the DNSSEC keys from root to your domain's DS key. Explaining, in as plain a language as is posisble for discussing this stuff, what is there currently and what it should be. Give an argument that shows what's wrong, send a link to that page saying they claim to have authority. From there they've not got anywhere to go to – Michael B Jan 22 '16 at 12:07
  • That's great, thanks for confirming Michael, that's much appreciated. I have already sent them all of those details so hopefully i can refuse to take no for an answer and get it sorted. I just wanted clarification from someone else that was the correct route! Thanks so much for your help – deshg Jan 22 '16 at 12:08
  • Glad to help - Whatever happened to DNS providers that are run by people who understand DNS and have support people that do to – Michael B Jan 22 '16 at 12:11
  • Amen to that Michael, i always knew GoDaddy were bad, but i didn't realise they were this bad!! Thanks Michael – deshg Jan 22 '16 at 12:13
1

While you definitely should make an effort to resolve the problem via GoDaddy first (it is after all their responsibility and you are their customer), at worst you can try contacting the .SE registry and ask. You can find their contact information at https://www.iis.se/english/contact/

They don't have a proper customer support organization for this (again, that's GoDaddy's job), so response may not be particularly quick. But if nothing else helps they certainly have the technical ability to remove your DS records.

Calle Dybedahl
  • 2,083
  • 12
  • 17