(Seems I can't reply directly to the author) $ dig covisp.net ds ; <<>> DiG 9.11.2-P1 <<>> covisp.net ds ... ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21696 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ... ;; ANSWER SECTION: covisp.net. 86352 IN DS 1 7 1 E59B549EC68D577C44A4E13542257CA44FE21970 covisp.net. 86352 IN DS 2 7 2 051033AF1BC909BE73FCFE4B59B1BDD2B8D7F8BF7BD840174AC1DEF7 14895D02
Umm... this initially looks great but something is seriously strange. The first numerical value after DS should be the Key ID (or Key Tag). I really doubt that you would (randomly) create two different DNSKEY records with sequential Key-ID's (Tags) starting from "1"... its usually a relatively random value between 1 and 2^16 Also as an aside - many people are no longer putting the SHA-1 Digest type DS record in their parent, just the longer (more secure?) SHA-256 (Digest Type 2) record. As the root uses Algorithm 8 - many people also use algorithm 8 - you are using algorithm 7. Algorithm roll-overs are a pain so if you can - move straight to 8. I also can not detect a DNSKEY in your zone? dig covisp.net dnskey +cd ...gives your SOA. Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL. Adding DS records into your parent should be the last part of the process in securing your Zone with DNSSEC. I really think you need to start over. What are you using to sign your zone with? Maybe I can help. Take a look at https://dnssec.co.za On 09/09/2018 08:59 PM, LuKreme wrote: > On Sep 8, 2018, at 10:21, Mark Elkins <m...@posix.co.za > <mailto:m...@posix.co.za>> wrote: >> Have you DNSSEC Signed your Domain - that is "covisp.net >> <http://covisp.net>" because I >> don't see any DS records for it in the "net" zone. > > I think I have everything set now and am hopping the two errors I have > about validation are a matter of waiting for hover to propagate. > > “None of the 2 DNSKEY records could be validated by any of the 2 DS > records” > > Thanks for all your help. We'll see if I still show this as broken > tomorrow. > > -- > My main job is trying to come up with new and innovative and effective > ways to reject even more mail. I'm up to about 97% now. > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users