* Viktor Dukhovni via Postfix-users <[email protected]>: > On Wed, Jun 17, 2026 at 11:55:04AM +0200, Patrick Ben Koetter via > Postfix-users wrote: > > > list.sys4.de has valid PTRs for it's A and AAAA record: > > > > $ dig +short -x 2a03:4000:20:189::195 > > list.sys4.de. > > ... > > $ dig -x 45.90.5.195 > > 195.5.90.45.in-addr.arpa. 43200 IN PTR list.sys4.de. > > Indeed the DNS records are fine, from all relevant nameservers: > > https://dnsviz.net/d/list.sys4.de/ajTHmw/dnssec/ > https://dnsviz.net/d/195.5.90.45.in-addr.arpa/ajKbmw/dnssec/ > > https://dnsviz.net/d/5.9.1.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.1.0.0.2.0.0.0.0.0.4.3.0.a.2.ip6.arpa/ajTJ9g/dnssec/ > > The only technical anomaly is not known to be a problem in reality, the > sys4.de DNSKEY RRset includes a spurious ECDSA P256(13) ZSK, with no > associated RRSIGs. Since there's no ECDSA P256 DS record, no known > validator will ignore the RSA RRSIGs and require ECDSA, but that > ZSK should be dropped.
Maybe an anomaly now, but maybe / hopefully something you will get to see more often in the future. The domain sys4.de is about to be migrated from the old to a new hidden primary and we want to keep it DNSSEC-signed – even during migration. Thus we cross-signed <https://www.rfc-editor.org/rfc/rfc8901.txt> the zone. The ECDSA P256(13) ZSK you see is the new hidden primaries key: # dig +short @ns.sys4.de dnskey sys4.de | grep 256 256 3 13 agpy/CBStcucMsVYBZIe2qjO1QxJS2gJwgEJk17Iu+tvyF9k6C60lmHJ B3sXrc4C2it7mhY4SUVsBrTtHk1ICg== 256 3 8 AwEAAauOT7VmFa7/ncg6OIuCr4Eg4h99z6WPAEuMYuoW44PD9NgEZwsK 9CTTQZZds6bJ55QJ0NNo5R/cgFLk6m7G7EEx6x4roWQbg12gNDEAcG9v Yxn4iorx/wbmiSzrs4UipgtwjPzfIKP8e0Mjwth2r91q8/fNMzJYoP9f 5DwGLqo9 NOTE: While at it we (finally) took the chance and also upgraded the algo from 8 to 13. Now we will wait at least 2 x TTL of the .de TLD + 24 h before we will switch to managing the domain from the new hidden primary. To do so – scheduled to take place on 7.7.26 – we will announce the new authoritative DNS servers for sys4.de (controlled by the new hidden primary) and then we will remove the old primaries ZSK. NOTE: Since we are not really in a hurry we might wait a little longer until letsencrypt has begun using dns-persist-01 <https://letsencrypt.org/2026/02/18/dns-persist-01> in production, migrate our cert management to that and then put the new primary into production. p@rick P.S. This is also how we migrated DNSSEC-enabled postfix.org & friends to a new DNS hosting provider a few weeks ago. DNSSEC protection was upheld all the time during migration. Carsten Strotmann, who migrated the zone together with Wietse, gave a presentation at ICANN85 on the migration and the learnings: <https://hosted-files.sched.co/icann85/d6/2.2%20Postfix%27s%20multi-signer%20transition.pdf> Key takeaway: Have a close look at management interfaces when adding a new (read: second) ZSK as "add" most of the time seems to mean "replace", which is definitely *not* what you want! -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
