* Matthijs Mekking <matth...@isc.org> [2023-06-02 14:10]:
> Did you wait until the migration was complete? Everything needs to be
> omnipresent after the migration before you can making DNSSEC policy changes
> safely.
Well there was no easy way to tell if migration was complete, there
were no indications if the DS hidden status would change or not.
> I noticed:
>
> > - ds: hidden
>
> This means that from BIND's perspective the DS has not been published. Most
> likely because the other keys were not fully omnipresent yet.
All the keys and the DS were published for years. I don't know why
BIND assumed this wasn't the case.
> If the DS is not published yet, or at least the migration has not reached
> this state yet, you can do anything with the DNSSEC records, because of the
> absence of a secure delegation
Well I configured an parental-agent so BIND would've been free to
check for the DS record whenever convenient in the process.
Best Regards
Sebastian
--
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
