Page 1 of 1
DNSSEC Blocking DNS After Transfering Registration To Sonic
Posted: Wed Dec 06, 2023 4:57 pm
by wkrobin
I recently moved DNS service for <redacted> from Google Domains to Sonic but was unfamiliar with DNSSEC, so I didn't even look for a way to deactivate it before transferring away from Google. Now DNS for <redacted> gets a "BOGUS No valid RRSIGs..." error. Is there something that can be done to fix this now or or will this eventually age off in the next day or two?
Thanks in advance.
Peter Chupity
Re: DNSSEC Blocking DNS After Transfering Registration To Sonic
Posted: Fri Dec 08, 2023 3:51 pm
by joemuller
Hi Peter,
Please see my response to your other post in the Labs section -- your previous registration setup at Google Domains had a DNSSEC Domain Signing (DS) key set up that stayed in place when the domain transferred over to us. (This is expected behavior, because your registrar may not be the same as your Authoritative DNS provider, so those records need to stay in place to ensure the domain continues to resolve.) The downside to switching DNS providers is that unless the configuration is imported or configured ahead of time, critical records such as the RRSIG will be missing at the new DNS provider, which will break the domain for any (most) DNS servers that do DNSSEC validation.
The fix here was for someone on our side (me) to remove the DNSSEC keys at the registry level, which then removes the (now broken) DNSSEC signing and makes the domain act like a traditional (non-signed) one.
-- Joe M
Sonic System Operations
Re: DNSSEC Blocking DNS After Transfering Registration To Sonic
Posted: Fri Dec 08, 2023 6:31 pm
by wkrobin
Thank you, Joe.
Everything works as it should, now, and I have another thing to add to my check list for the next time I transfer a domain.
Peter