On 3/10/20 4:03 PM, Mark Andrews wrote: > Firstly don’t blindly add DS records without first checking that the DNSKEYs > they refer to are published. DNSSEC is less tolerant of operator error and > sometimes things go wrong. There are lots of “wait until …” in managing > DNSSEC > and if you don’t wait DNSSEC validations will fail as a result as you have > seen.
I have been trying to figure out a good way to validate that everything is ready for the DS record to be published - a "zone_test" script, but that's a separate issue. > I see the following which indicates to me that 9675 is published but not > active > and 28998 is published and active. Yes, those are both zone signing keys (migrating from sha1 to sha256) > [beetle:~/git/bind9] marka% > > and with the following DS records there isn’t secure path. > > cascocom.com. 85427 IN DS 9675 5 2 > EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234 > cascocom.com. 85427 IN DS 30841 8 2 > E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C > > now I don’t know exactly what you did but detected error will have been > logged. I'm not sure how a DS record for 9675 got generated, as that's a zsk? It might be better to wipe everything for this zone and start over as I seem to have done something that got it very confused.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
