Renew DNSSEC key

Hi,

I got an email from my registrar telling me that my DNSSEC key is going to expire soon.
I checked everywhere, since my DNSSEC is provided by cloudflare, on my understanding Cloudflare should be responsible for renewing it.

I checked everywhere on the internet, CF forums and community, and never found a single issue related to the renewal on DNSSEC keys.

Do i have to do it manually?
Does Cloudflare renews it automatically?

Which are the procedures that i need to make?

thanks!

I’ve never heard of such a thing. DNSSEC Keys don’t expire. Who’s your registrar?

Hi,

Thanks for you reply
My registrar is registro.br, the gov one from Brazil.

i can translate the email most important parts:

"Periodically, registro.br makes verficiations on the DNS servers on their registered domains to make sure they’re responding in a adequate manner. We have verified that the your domain uses the DNSSEC technology and, soon your signature will become invalid.

In case this occurs, it will be impossible to make the resolution of names for your domain in servers that have DNSSEC support.

We recommend that you provide the renewal on your domain before the expiring date. "

Ah, the signature. I expect Cloudflare re-signs periodically. Maybe @anb can confirm, as I can’t find any documentation on this.

Hi @suporte33,

If your zone is delegated to Cloudflare, and you are talking about the content served by Cloudflare, I don’t think you need to worry about it.

Traditionally the zone’s contents are signed by hand, which need to be renewed before expiring. Cloudflare does online signing, it automatically generates a valid DNSSEC signature on client request.

Below you can see I sent two queries in sequence, the expiration time, creation time in first response is 20201016193139 20201014173139; in the second response, because the records were expired, you can see Cloudflare signed the new records with a valid time range 20201016193755 20201014173755.

In short, the expiration time is in near future, but will never expire.

$ dig @1.1.1.1 cloudflare.com +dnssec +multi

; <<>> DiG 9.16.6-Debian <<>> @1.1.1.1 cloudflare.com +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36215
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.		IN A

;; ANSWER SECTION:
cloudflare.com.		31 IN RRSIG A 13 2 300 (
				20201016193139 20201014173139 34505 cloudflare.com.
				BCXn4sN9nsk9qhwiZxYRNsbwmcO/GwHzzWgFW22gmsgu
				E/j6djJcdW3wvenLjTs1mvUVdITaKoPaVg2DFxU4gA== )
cloudflare.com.		31 IN A	104.17.175.85
cloudflare.com.		31 IN A	104.17.176.85

;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Oct 15 11:36:10 PDT 2020
;; MSG SIZE  rcvd: 185


$ dig @1.1.1.1 cloudflare.com +dnssec +multi

; <<>> DiG 9.16.6-Debian <<>> @1.1.1.1 cloudflare.com +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45603
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.		IN A

;; ANSWER SECTION:
cloudflare.com.		300 IN A 104.17.175.85
cloudflare.com.		300 IN A 104.17.176.85
cloudflare.com.		300 IN RRSIG A 13 2 300 (
				20201016193755 20201014173755 34505 cloudflare.com.
				7hzdRlgTHR9RKj67ZlphflCXmfTUoei6u1tT1n13pVqK
				fl4zGmsoT2sQWKuK1mTLNFUDg2aNbA1FMjEn2ASD8Q== )

;; Query time: 35 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Oct 15 11:37:55 PDT 2020
;; MSG SIZE  rcvd: 185
1 Like

Hey @anb

Thanks for your reply.
This is exactly what I needed.
It’s weird the lack of information on this matter on the internet.

Thanks so much

I am here for the same reason and same registrar notice. In my case, it expired yesterday.

1 Like

Prezado Wesley,

Como o seu expirou, deu algum problema?. O meu registro BR também me informou que em breve irá expirar, portanto não encontrei em local nenhum uma resposta.

Grato.

Dear Wesley,

As your soured, gave any problem?. My BR registry also informed me that it will soon expire, so I found no response in any place.

Grateful.

Currently, mine still is working as expected.

1 Like

Ugh one of my Enterprise tier domain actually has its DNSSEC certificate expired the day before yesterday and half of the global nameservers stopped resolving that domain for 2 days. Seems it fixed itself today while I still got a negative response from DNSViz.

Something inside cloudflare is indeed borked…

This was indeed an issue that has affected a small number of zones. It has been fixed and thank you for reporting it!

3 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.