I typically go to great lengths to not mention in public about whom I work for, but there are situations in which it’s difficult to hide. In this particular case I probably brought it upon myself because of a rant on Mastodon. In any case the cat is out of the bag because Ondřej Caletka can add 2 + 2. :-)
The ccTLD of Cyprus (.CY) has transitioned to DNSSEC, and I had the honour and pleasure of consulting with them on how to go about implementing it.
I couldn’t convince them to use just a single key as, say, co.uk and a few others do (I’m a great fan of CSK or SSK – Combined or Single Signing Keys). It was, however, easy to convince .CY to sign with algorithm 13 (ECDSA Curve P-256 with SHA-256), and it makes me happy Victor noticed:
Algorithm 13 from the outset. Nice!
Everything went smoothly. A number of BIND servers had to be reconfigured, NOTIFYs put in place, secondaries changed, ACLs adjusted, etc. but that was easy going. Due to how the provisioning works here, and because I use this setup quite frequently, I recommended BIND with inline signing, so that’s how we set up the signer proper.
The real killer came about as we were about to upload the DS record to IANA for inclusion into the root DNS zone. I almost flipped when we saw the choice available for specifying the digest type:
After all we’d gone to we can’t submit algorithm 13? Surely! While emails were being exchanged with the root zone managers, I was tearing my hair out and jumping about, but thankfully there’s no footage of that. With more than 40 TLD signed with ECDSA, it was almost impossible.
It turned out to be a glitch; root management confirmed what I was silently hoping:
Thank you for reporting this. Our development team identified and fixed the issue. Please try adding the DS records with algorithm 13 again
It is quite possible that you heard my sigh of relief. So, DS submission continued and then the waiting period began. (Submission is checked electronically but apparently is then vetted manually before actually being added to the root zone.)
If you’re familiar with DNSSEC you’ll know that things can break, though not very much does nowadays. I use the term kaputt (with double ‘t’) to describe breakage in DNSSEC, and I have it in good authority that the equivalent Greek term is spasmeno. I’ve broken DNSSEC before, but only in test environments, and I was not looking forward to spasmeno a whole country! (I fear the grammar there isn’t quite right..)
I ran a monitor which checked for appearance of the DS record in the root every minute and was relieved to hear a periodic beep just as I was retiring for the night:
;; ANSWER SECTION:
cy. 86400 IN DS 53051 13 2 23E40296DD897E15A7B78061B987F240D0415ABC20382FDCDAEC24C7 FC8A9E0FI informed the lovely people at nic.cy and happily went to bed after gazing at the beautiful +ad flag dig(1) reported when querying cy via a validator.
It’s a first time for me that I’ve worked with a ccTLD in this way, and it was a very exciting experience, but I must remember to update Wikipedia’s article on Adrenaline in which it says something about “10 ng/L and a 50-fold increase in times of stress”; that’s not true: I mopped up litres of the stuff here this week. ;-)