* Matthijs Mekking <matth...@isc.org> [2023-06-02 14:10]: > Did you wait until the migration was complete? Everything needs to be > omnipresent after the migration before you can making DNSSEC policy changes > safely.
Well there was no easy way to tell if migration was complete, there were no indications if the DS hidden status would change or not. > I noticed: > > > - ds: hidden > > This means that from BIND's perspective the DS has not been published. Most > likely because the other keys were not fully omnipresent yet. All the keys and the DS were published for years. I don't know why BIND assumed this wasn't the case. > If the DS is not published yet, or at least the migration has not reached > this state yet, you can do anything with the DNSSEC records, because of the > absence of a secure delegation Well I configured an parental-agent so BIND would've been free to check for the DS record whenever convenient in the process. Best Regards Sebastian -- 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users