DNSSEC misconfiguration - orphaned DS records causing validation failures

[alegsalv 0]

 Hi AirVPN team,

  I discovered that the airvpn.org domain has orphaned DS records in the .org zone that cause DNSSEC validation failures with strict resolvers.

  The problem:

  The .org registry has DS records for algorithm 8 (RSA) keys that no longer exist in the DNSKEY set:

  DS 28066 - Algorithm 8 (RSA) - No matching DNSKEY
  DS 50944 - Algorithm 8 (RSA) - No matching DNSKEY
  DS 51959 - Algorithm 13 (ECDSA) - Valid
  DS 20410 - Algorithm 13 (ECDSA) - Valid

  Impact:

  Resolvers with strict DNSSEC validation (e.g., Unbound with harden-algo-downgrade: yes) return SERVFAIL for airvpn.org because they expect DNSKEYs for all
  algorithms advertised in the DS records.

  Most public resolvers (Quad9, Cloudflare, Google) handle this gracefully, but users running their own recursive resolvers may be unable to access your website.

  Fix:

  Remove the stale DS records (key IDs 28066 and 50944) from the .org registry through your domain registrar.

  Verification commands:
 

  dig airvpn.org DS +short
  dig airvpn.org DNSKEY +short

  Thanks for looking into this!

[Staff 10434]

1 hour ago, alegsalv said:

Fix:

  Remove the stale DS records (key IDs 28066 and 50944) from the .org registry through your domain registrar.

Hello!

Thanks, we are aware of the problem. Unfortunately the registrar does not allow to change this setting on the authoritative DNS. For a deliberate choice, airvpn.org is one of the very few domain names we operate for which we do not manage directly the metal behind our own authoritative servers. We will anyway remind the provider of the problem as we did in the past and we will consider whether it's appropriate moving the domain name for this problem.

Kind regards