On 05/01/2022 8:53 pm, Mark Andrews wrote:
Why should you want them to go away while you still have DS records
referencing them?
You also have a CDS record referencing a DNSKEY that dnssec-policy
doesn’t seem to know about.
sienawx.us. 2892 IN CDS 49366 8 2
60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED
The DS records need to be removed before the DNSKEYs referencing them
go. Also does your registrar support CDS/CDNSKEY or do you need to
manually update the DS records? Based on
https://support.google.com/domains/answer/6387342?hl=en&ref_topic=9018335
I’d say no
[SNIP]
Thanks, Mark. I've cleaned up the DS records in Google, and fixed the
sienawx.us
CDS issue (it was added by bind at some point, but wasn't in my unsigned
zone,
so I stopped bind, removed the signed version of the zone, and upped the
SOA
serial in the unsigned version to higher than what was in the signed
version,
and restarted bind).
I also didn't realize I needed to do a rndc dnssec -checkds -key <keyid>
withdrawn <domain>.
I did find a manpage bug for the rndc man page for 9.18.2:
dnssec (-status | -rollover -key id [-alg algorithm] [-when time] |
-checkds [-key id [-alg algorithm]] [-when time] published |
withdraw))
zone [class [view]]
s/withdraw/withdrawn/
withdraw garners a syntax error :(
Thanks for the inbound clue-by-four.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users