From 16f32eb208dc14d8e3b86e52b1e3da6e62e687c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org> Date: Mon, 4 Oct 2021 14:07:28 -0400 Subject: [PATCH] document correctly the last stage of the DNSSEC rotation spotted in tpo/tpa/team#40432 --- howto/dns.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/howto/dns.md b/howto/dns.md index 164224dff..2a6dba1c6 100644 --- a/howto/dns.md +++ b/howto/dns.md @@ -128,10 +128,15 @@ The changes will take a while (~10 hours?) to trickle out into all caches, so it might take a while for the Nagios check to return green. Eventually, Nagios will complain about the old keys, and we can remove -them. Make sure to remove the *old* key, not the new key. Be careful -because the web interface might sort the keys in an unexpected -way. check the keytag and compare with the expiration specified in the -`dsset` file. +them from the registrar. Make sure to remove the *old* key, not the +new key. Be careful because the web interface might sort the keys in +an unexpected way. Check the keytag and compare with the expiration +specified in the `dsset` file. The Nagios warning that you will see +will look like: + + DNS - security delegations: WARNING: torproject.com (57040,-28234), torproject.net (63619,-53722), torproject.org (33670,-28486) + +The `-` entries (e.g. `-28234`) are the ones that should be removed. Note: this procedure could be automated by talking with the registrar's API, for example [Joker.com's DMAPI domain modification @@ -236,6 +241,16 @@ If it's not delegated, it's because you forgot step 8 in the zone addition procedure. Ask your upstream or registrar to delegate the zone and run the checks again. +### DNS - security delegations is WARNING + +This error: + + 11:51:19 <nsa> tor-nagios: [global] DNS - security delegations is WARNING: WARNING: torproject.net (63619,-53722), torproject.org (33670,-28486) + +... **will** happen after rotating the DNSSEC keys at the +registrar. The trick is then simply to remove those keys, at the +registrar. See [DS records expiry and renewal](#ds-records-expiry-and-renewal) for the procedure. + # Discussion ## Design -- GitLab