Removing DNSSEC - Can it be done, and how can I?

domain-name-system dns-hosting internal-dns windows-server-2012-r2 dnssec

A little while ago, I deployed DNSSEC because in doing so I reduced the number of security configuration checks I needed to implement on my local domain's DNS. These are Windows Server 2012R2 machines

This seems to have worked fine, except it causes an off-site backup arrangement we have to break. Our DNS had been set up to resolve a single host name to a load-balancing device we don't control, which then handles incoming data - basically just a drive space we toss our DPM backup files onto. This was a Delegation record inside of our Domain's zone, with the host name as the name of the record and containing a single NS entry for the load balancer.

It took a bit of time to figure out that DNSEC was the cause, but in working with the other network team, it seems confirmed and they have no plans to reconfigure anything to make it work on their end.

It would seem that I did not fully understand the implications of DNSSEC going into this. Is there a way to simply un-do DNSSEC, however? I can certainly "Unsign" the zone, as seen in the DNSSEC menu on the DNS servers. But there's not really any guidance on this online that appears to be well written or recent. Is there more to it than simply Unsigning the zone?


Solution 1:

Is there more to it than simply Unsigning the zone?

Oh yes, and if you fail to do it your domain will disappear (from any validating resolver).

The first thing to do is to remove the DS records at the parent, which you will need to do through your registrar.

Then you need to "wait". Instead of giving a specific value (as it is done by people thinking the DNS has propagation, which it doesn't), as it depends on the parent and other factors, you shouldn't hurry. Do it the week after. But better, monitor for it. See when the parent nameserver stops to publish the DS records, take into account their previous TTL values, as well as the TTL values on your own DNSKEY and RRSIG records.

After all TTLs expired, normally no one will try anymore to validate your zone.

Only at that moment it is safe for you to stop unsigning it, which means stop publishing DNSKEY, RRSIG and NSEC/NSEC3 records.

PS: not something you will want to read, but removing DNSSEC, especially because of some other broken system, is really not a good idea. You should instead invest time to fix that other system. Or design things differently so that this system does not need to rely on your DNSSEC enabled zone.

Related

can you help me setup DNS forwarding
Memcached with SASL: Couldn't find mech PLAIN
Why are pods failing to schedule due to resources when node has plenty available?
incoming email is rejected
ansible error: Failed to find required executable rsync in paths: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/sbin"}
Do I need SiteLock on top of AWS Shield? [closed]
Access windows EBS Volume from EC2 linux as folder
Connection Failed on AWS Client VPN - netsh command failed: external program did not execute -- returned error code -1
Increase the size of software RAID 10
Where is the System maintenance switch on HP ProLiant dl360 Gen 7
Ansible - templates with items won't works
Enabling RBAC on Existing AKS Clusters