If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Implement DNSSEC for mozilla.cz

RESOLVED WONTFIX

Status

Infrastructure & Operations
Infrastructure: DNS
--
enhancement
RESOLVED WONTFIX
6 years ago
2 years ago

People

(Reporter: Pavel Franc - Mozilla.cz, Assigned: digi)

Tracking

Details

(Reporter)

Description

6 years ago
Mozilla.cz DNS is hosted on mozilla.org NS server
   whois mozilla.cz
   nsset:        NSS:MMMOZILLADNS
   nserver:      ns1.mozilla.org
   nserver:      ns2.mozilla.org
   tech-c:       SB:MARKMONITOR
   registrar:    REG-ACTIVE24


CZ top domain is already signed
   host -t ds cz.
   cz has DS record 14568 10 2 ...

and Mozilla.cz registrar (ACTIVE24) support DNSSEC

    "DNSSEC for already registered domain, which works on its own DNS servers, can be activated via the Customer Center. First, it is necessary to create a KEYSET object in the Customer Center and then editing the domain assigned this KEYSET to the domain."
Pavel,

This is not going to be priority at this point, till we have mozilla.com and mozilla.net signed and working as expected. To roll out DNSSEC elsewhere (and to a larger subset of mozilla domains), we'll have to spend sometime looking at signers etc and how we can scale this in the long term.

This will not happen in the immediate future, so I'm going to move this into projects.
Assignee: server-ops → nobody
Component: Server Operations → Server Operations: Projects
(Assignee)

Updated

4 years ago
Depends on: 948813
(Assignee)

Updated

4 years ago
Assignee: nobody → bhourigan
Component: Server Operations: Projects → Infrastructure: DNS
Product: mozilla.org → Infrastructure & Operations
QA Contact: mzeier → jdow
(Assignee)

Comment 2

4 years ago
I'm getting an error when attempting to add the DS record at our domain registrar - this work will be postponed.

Failed to change dns keyset from: [] to: [DnsSec keyTag=37623, algorithm=7, digestType=1, digest=7278F97BB4CF2CE1A0EAEDD3347785D5C3D8C42F, flags=null, publicKey=null] because: Error creating keyset for domain id: 828015 at the registry.
(Assignee)

Comment 3

3 years ago
We cannot add dnssec support to .cz domains until the registrar starts supporting dnssec
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
Does MarkMonitor still not support DNSSEC for .CZ domains? I was unable to find any detailed information on their website.
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
Brian, can you please check if MarkMonitor still does not support DNSSEC for .CZ domains? I was unable to find any detailed information on their website.
Flags: needinfo?(bhourigan)
(Assignee)

Comment 6

2 years ago
(In reply to Michal Stanke (Mozilla.cz) [:MikkCZ] [away until Sep 10] from comment #5)
> Brian, can you please check if MarkMonitor still does not support DNSSEC for
> .CZ domains? I was unable to find any detailed information on their website.

:MikkCZ

Unfortunately this is no longer on my road map for this year, let's revisit this in 2016Q1 unless there is something I am missing.
Flags: needinfo?(bhourigan)
HI.

The four month fled like water. Are we manage to do this in Q1? I would like to implement Let's Encrypt HTTPS as well, once our hosting provider supports it (hopefully soon), so having both in Q1 would be great achievement.
Flags: needinfo?(bhourigan)
:digi, ping?
(Assignee)

Comment 9

2 years ago
(In reply to Michal Stanke (Mozilla.cz) [:MikkCZ] from comment #8)
> :digi, ping?

Hi Michal,

Sorry for the delay in getting back to you. We are not looking to implement DNSSEC on any additional domains, and we're going to roll DNSSEC back on mozilla.com. We have records being signed at our DNS servers, but the DS record at our registrar was never added and we have some limitations on our side that will prevent us from moving forward.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago2 years ago
Flags: needinfo?(bhourigan)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.