Ownership validation: Which Method for static IP@pfsense?

I Think I started recheck...

Fatal error: DNSKEY 2371 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 60191, DigestType 2, Digest MH3BkRknNfXfdv42T29sHxixCMQ4NTFadORQ1k5BBqE=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

so now it have a DNSKEY that doesn't match with DNS RR. what.
and origin connection time out (522) from cloudflare.

On their web page there is no way you can do that yourself. - But I sent the key to them and they reported back they implemented it.

Do you mean that my registrar implemented a wrong key?

Yep, now there is the - again terrible - result. Rechecked with versign - the same - DNSSEC Analyzer - 12bfree.com

12bfree.com
Found 1 DS records for 12bfree.com in the com zone
DS=60191/SHA-256 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=12163 and DNSKEY=12163 verifies the DS RRset
Found 2 DNSKEY records for 12bfree.com
None of the 2 DNSKEY records could be validated by any of the 1 DS records
Found 1 RRSIGs over DNSKEY RRset
RRSIG=2371 and DNSKEY=2371/SEP verifies the DNSKEY RRset
The DNSKEY RRset was not signed by any keys in the chain-of-trust
12bfree.com A RR has value 104.18.56.186
Found 1 RRSIGs over A RRset
RRSIG=34505 and DNSKEY=34505 verifies the A RRset

If they can't implement that, switch to another dns provider. Or remove DNSSEC.

Thanks. - I’ll transfer the domain to Cloudflare. I really hope this limbo situation is coming to an end soon. I need this domain up and running.

Where did the DS record come from? You mention:

Which seems to be a fake example key used in lots of documentation.

The DS record for 12bfree.com, the domain mentioned in recent posts, is:

60191 13 2 307DC191192735F5DF76FE364F6F6C1F18B108C43835315A74E450D6 4E4106A1

Cloudflare uses one set of keys for almost all domains. (It's safe, but makes onboarding or offboarding more difficult.) Assuming my connection to the DNS servers is not being MITMed, the DNSKEY record set for 12bfree.com is using those keys:

256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==  ; ZSK; alg = ECDSAP256SHA256 ; key id = 34505
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==  ; KSK; alg = ECDSAP256SHA256 ; key id = 2371

Cloudflare's typical KSK -- with key tag 2371 -- does not match your DS record, which uses some key with key tag 60191. Are you sure you copied the right information from the right place?

2 Likes

The Cloudflare API displays the DS record data as follows:
12bfree.com. 3600 IN DS 2371 13 2 74CC8C90823F931CAFA9B150AD34C241523F152054D19431390F1B342D877D37
and meanwhile also delivers "Success! 12bfree.com is protected with DNSSEC."
But when I go check with JĂźrgen Auers proposed website
I get the error "destination DNSKEY doesn't exist or doesn't validate".

"whois 12bfree.com | grep 'DNSSEC'" does retrieve the DS data I gave to my registrar.
(Sorry about using the example data above. Did not mean to confuse anybody, guess I was unintentionally overly cautious)

You have to recheck your domain.

The last check - 11.12.2019 16:36:48.

Hm. I can’t think of where to look for the error. Could you be more specific, please? - When the DS entry I see at my Cloudflare account matches the result I get doing a whois with a grep on ‘DNSKEY’, I don’t really know where to start tackling the problem…

This result

is from 11.12.2019 16:36:48.

So it's six days old, expired.

You didn't checked your domain, you see the result of an old check. So it's completely unrelevant.

Misinterpreted your words, classic… Anyway, rechecked with https://dnsviz.net/d/12bfree.com/dnssec/ which provides a more visual feedback. - Looks OK to me.

There is, however, a persisting problem when I renew the certificate. When the process arrives at the subdomain entry it returns “Getting webroot for domain=’*.12bfree.com’” --> "invalid domain"
BTW: I can dig lime.12bfree.com alright, which returns an IP from the Cloudflare realm. Any idea on that?

Sounds like the installer can’t find a matching ServerName/Server_Name for “*.12bfree.com”
And I also see CloudFlare in use - not sure if that presents an obstacle in your quest.

by the way, may I ask why it caches such old check results? first one on this thread was ~2 week old.

All results are saved in tables, the output is generated with a list of queries.

Currently, old results are not deleted, so the user has a history of checks.

Cloudflare is my DNS provider, it’s supposed to be part of the game…

Just rechecked the domain using your site checker. -
Everything’s fine, except for point 12 "TXT Entries, where it says “perhaps wrong” for “_acme-challenge.12bfree.com.12bfree.com” and “_acme-challenge.www.12bfre
e.com.12bfree.com”
Could you comment on this, plz?

Read the complete output:

If a domain name doesn't exist, the dns server should answer with a Name Error = dns error 3.

The answer of _acme-challenge.www.12bfree.com.www.12bfree.com is correct, so it's green.

But checking the two other (wrong) names, there is no "Name error", instead, there is an answer.

So the server says: "This name exists, but there is no TXT entry". But I don't think these entries are defined.

-->> curious name server answer.

Compare it with

(ignore the blue lines, now that's not relevant).

Are you suggesting I add a DNS TXT entry for 12bfree.com at Cloudflare?

I agree it’s a ‘curious name server answer’ because ‘12bfree.com’ exists as an ‘A’ record in DNS. ‘www’ and various subdomains are CNAME entries. Nothing wrong with that, right?
If I’m not mistaken a TXT record is for additional ownership validation. Do I really need that for a certificate update? The way I understand it DNS sec identifies ownership realiably. Why then a TXT record?
Again: Do you recommend adding a TXT entry then?

You are understanding something completely wrong. A txt record is a txt record, nothing else. It may used as an ownership validation, it may used as a joke or a simple test: "This is a small txt text entry".

So your question

???

Looks like you mix things that are completely different.

If you want to create a certificate, you may use dns validation. So read

But then a txt entry with the domain name 12bfree.com isn't relevant, because _acme-challenge as first part is required.