DNSSec - Need help to configure

I have configured DNSSEC of other domains before with just simple copy & paste. My registrar was Namecheap, GD etc

Now I have a new domain that comes from a different registrar. This is the present records:

Now how do I replace it with Cloudflare DNSSEC records. Is there any formatting that is required? :neutral_face:
And there is no SHA256 option with this registrar…

Have you asked the registrar why they don’t support SHA-256?

1 Like

This is Govt of India registry registry(dot)ernet(dot)in. They are not really known for their customer friendliness. This is one’s of those domains controlled exclusively by the Govt. And I don’t expect a new protocol to be installed just at my request.

I was wondering if there is something I can do in terms of configuring before I try to contact their customer department. What confused me was the way the default settings were configured. The Algorigthm section had the data:
RSA/SHA-159 2,048 bits (Algorithm 8)
Does that help in my case anyway? To enter the text in Algorithm section in some particular format to help use cloudflare DS records? I don’t know if my question even made any technical sense. :sweat_smile: I am still learning DNS management.

Or is it just better to disable DNSSEC for the time-being? :thinking: (In case SHA256 integration in unavailable)

You won’t have a choice. If they don’t support SHA-256, then you can’t use DNSSEC with Cloudflare.

1 Like

You can generate a DS record using a different digest yourself. You just cannot change the Algorithm. You need bind-utils or similar to run the command below (replacing the domain name as appropriate):

dig dnskey example.com | dnssec-dsfromkey -1 -f - example.com

I’m just waiting on one of my own domains to go live with this digest and will be able to confirm that it all looks fine.

There are potential attacks against the SHA1 digest, so this should only really be used if you have no other options. From what I can see, this is a Registrar limitation, and not a Registry problem with .in.

1 Like

No. .in will not have a problem. The domain in question is edu.in which is controlled by a Govt Department and not open to 3rd party registrars.

Let me know how your experiment goes. And if your are successful, then I will be grateful if you can guide me thought the steps.

I was reading upon the SHA1 vulnerabilities. And I am confused as to whether its is better to not use DNSSEC at all (for the time being), than using SHA1.

OK. I will wait for more responses

1 Like

While everybody in the DNS Delegation chain should support SHA-256 (or SHA-384), resolvers will continue to use SHA-1 digests when they have nothing better. I would say that using a SHA-1 digest is better than not using DNSSEC.

You should contact your registrar and let them know the current standards requirements.

My test on a .is domain was successful, I get a warning that SHA-1 is not allowed, but it validates successfully using the conversion technique above.

1 Like

dig dnskey example.com | dnssec-dsfromkey -1 -f - example.com

What should replace the dsnkey variable? Is it the digest or is it the public key that you get from cloudflare dashboard?

Probably a safer way using this command is below.

dig +dnssec dnskey example.com @ninja.ns.cloudflare.com | dnssec-dsfromkey -a SHA-1 -f - example.com

Replace example.com with your domain name.
Replace ninja.ns.cloudflare.com with one of your two assigned Cloudflare Nameservers.

This essentially fetches your public key directly from your Cloudflare Nameservers, and generates a SHA-1 hash of that key.

The interface shows you both the public key and the digest. The DS record is essentially the digest, but they only give you a SHA-256 digest, which your registrars interface will not allow.

2 Likes