Firstly don’t blindly add DS records without first checking that the DNSKEYs they refer to are published. DNSSEC is less tolerant of operator error and sometimes things go wrong. There are lots of “wait until …” in managing DNSSEC and if you don’t wait DNSSEC validations will fail as a result as you have seen.
I see the following which indicates to me that 9675 is published but not active and 28998 is published and active. [beetle:~/git/bind9] marka% dig dnskey cascocom.com @ns1.peak.org +dnssec +rrcom ; <<>> DiG 9.15.4 <<>> dnskey cascocom.com @ns1.peak.org +dnssec +rrcom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20347 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;cascocom.com. IN DNSKEY ;; ANSWER SECTION: cascocom.com. 3600 IN DNSKEY 256 3 5 AwEAAcA0mHBs2j1IuElgHpUUdGcBhWumR/0bjiWT4BRuuikP3TPsPh5T Ti3ps/0f7uwMG02tai69+LRycq8vrPDCB92FvwHw8ACVPxdJ6ZRVCKKp 7peayPXJ0hlWurdAQXbX6WXU74a5hLYZ+2/rN+3BPyvImxO2o4RM5ay4 JlU59n5v ; ZSK; alg = RSASHA1 ; key id = 9675 cascocom.com. 3600 IN DNSKEY 256 3 8 AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h ; ZSK; alg = RSASHA256 ; key id = 28998 cascocom.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200409011715 20200310001715 28998 cascocom.com. R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1 bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ= ;; Query time: 509 msec ;; SERVER: 207.55.16.51#53(207.55.16.51) ;; WHEN: Wed Mar 11 09:50:14 AEDT 2020 ;; MSG SIZE rcvd: 509 [beetle:~/git/bind9] marka% and with the following DS records there isn’t secure path. cascocom.com. 85427 IN DS 9675 5 2 EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234 cascocom.com. 85427 IN DS 30841 8 2 E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C now I don’t know exactly what you did but detected error will have been logged. Mark > On 11 Mar 2020, at 09:39, Alan Batie <a...@peak.org> wrote: > > I've got a test domain that I thought I had all working, but noticed the > key signing key was missing, so I generated one and did an rndc loadkeys > to get things updated, then generated a ds record for it and uploaded > that to the registrar, however, it still shows broken, and when I look, > I see that the zone signing key 28998 is self-signed, rather than being > signed by the zsk 30841? Am I misunderstanding something here? > > keys/Kcascocom.com.+008+28998.key:; This is a zone-signing key, keyid > 28998, for cascocom.com. > keys/Kcascocom.com.+008+30841.key:; This is a key-signing key, keyid > 30841, for cascocom.com. > > ;; ANSWER SECTION: > cascocom.com. 3600 IN DNSKEY 256 3 8 > AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI > W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV > V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h ; > ZSK; alg = RSASHA256 ; key id = 28998 > cascocom.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200409011715 > 20200310001715 28998 cascocom.com. > R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1 > bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ > VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ= > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
