DNSSec entries still affected on my domain even though i've disable
Hello As the title says, so i've disable dnssec on my domain few month back but when i check on dnssec analyzer my domain dnssec still enabled. so i can't issue let's encrypt ssl cert
I've make sure both on my route53 and on my domain registrar disabled
- 最新
- 最多得票
- 最多評論
Thank you for the information Gary, i did contact my registrar which is PANDI and they escalate the "stuck" ds record from their side.
I already delete the DS record on my domain registrar long time ago, but i'll contact them to check on their side. will be update soon after i got answer from them
Please do.. Thanks samdgea
So I already contact my domain registrar and confirms that dnssec is already unsigned (disabled)
Hi Samdgea, I updated my answer with more information..Basicly the registrar needs to escalate this issue
Looks to me like there’s still a DS record at the registrar. In the screen shot NS-746 name server has an issue.
# DS Records
| Domain Name | TTL | Key Tag | Algorithm | Digest Type | Digest |
|-------------|-----|---------|-----------|-------------|--------|
| Abdilah.id | 3600 | 54640 | 13 | 2 | 063B08C8F23150A315679A2EF6A220F5F56DA29DE738
AD51A32C5A071E1AE53B |
I’ve read a few pages and it says to remove DS at the registrar and wait a day or 2 before removing dnssec from the zone.
Believe you need to check with your registrar to have this resolved
Update The registrar may say its disabled, however the Name servers for .ID still have DS records for your domain. Your registar needs to escalte this to Indonesian Internet Domain Name Administrator who manages the domain to clear down the stuck DS records. You could try to enable and disable DNSSEC again, it may help flush it through. OR Remove/put in fake the NS records for the domain, try DS lookup again and then put the real NS records back.
It looks like the registrar process to add and remove DS records failed
gary@thinkpad:~$ dig abdilah.id
; <<>> DiG 9.16.1-Ubuntu <<>> abdilah.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13114
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 61 62 64 69 6c 61 68 2e 69 64 2e ("..no SEP matching the DS found for abdilah.id.")
;; QUESTION SECTION:
;abdilah.id. IN A
;; Query time: 369 msec
;; SERVER: 192.168.8.240#53(192.168.8.240)
;; WHEN: Thu Jun 29 08:40:30 BST 2023
;; MSG SIZE rcvd: 89
gary@thinkpad:~$ dig abdilah.id DS
; <<>> DiG 9.16.1-Ubuntu <<>> abdilah.id DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57801
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;abdilah.id. IN DS
;; ANSWER SECTION:
abdilah.id. 3600 IN DS 54640 13 2 063B08C8F23150A315679A2EF6A220F5F56DA29DE738AD51A32C5A07 1E1AE53B
;; Query time: 389 msec
;; SERVER: 192.168.8.240#53(192.168.8.240)
;; WHEN: Thu Jun 29 08:40:57 BST 2023
;; MSG SIZE rcvd: 97
I see the DS key has changed for your domain but DNS SEC Is still enabled for your domain
相關內容
- 已提問 1 年前
- 已提問 6 個月前
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Thanks for the update and glad I could help. I would appreciate it if you accepted my answer as this helps me and others. Gary