A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to remove the key material in /var/lib/bind/pri
and to restart the server or are there steps which should be done to have it r?emoved
- 173
- 1
- 5
1 Answers
No, it is not sufficient to just remove the configuration locally on an authoritative name server.
DNSSEC is a hierarchical system, chain of trust agains DNS cache poisoning.
DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
Example of a Chain of Trust:
The zone itself is signed with the private key on your primary authoritative name server, e.g.
ns1.example.com.
has the private key for signingexample.com. A
withexample.com. RRSIG A
.The public key of
example.com.
has been sent to and confirmed by the authority forcom.
, which then has it inexample.com. DS hash
and correspondingexample.com. RRSID DS
, signed with private key for.com.
The public key of
com.
has been sent to and confirmed by the root authority, which then has it incom. DS hash
and correspondingcom. RRSID DS
, signed with private root key i.e. key for.
, aka Root Zone Trust Anchor:The Root Key Signing Key acts as the trust anchor for DNSSEC for the
Domain Name System. This trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data.
You can get a nice visualization of any domain with DNSViz. It also detects configuration errors.
Therefore, the authority responsible of the TLD must be contacted, probably through the registrar, and informed that DNSSEC should be disabled for the domain. They will disable DNSSEC by removing the chaining DS
record from their nameservers. Otherwise DNSSEC will still be enabled, causing your authoritative name server to be seen as a rogue name server.
- 43,252
- 2
- 75
- 122
-
5Note that just removing the DS from parent zone will be enough to drop your zone to insecure status, regardless of whatever DNSSEC record you keep in it (at that moment). That's the first step to do; you want to wait at least for TTL of the DS before actually removing the DNSSEC records. – Vladimír Čunát Oct 11 '17 at 11:31