This is the expected state, this TLD is mid transition when this is complete the currently unused DS and DNSKEY will be used for signing. This is pre-publication of the new data.
Regards Brett -- Brett Carr Manager DNS Engineering Nominet UK From: dns-operations <[email protected]> on behalf of Matthew Richardson <[email protected]> Date: Friday, 14 January 2022 at 10:17 To: [email protected] <[email protected]> Subject: [dns-operations] TLD .law - non-signing KSK with referenced DS Having been looking at .law following what looks like a slightly sub-optimal redelegation (now complete), I notice that Zonemaster is reporting DNSSEC issues:- https://secure-web.cisco.com/1h7hVcLKXZ_2MCfb5nzMY83oZbSxudk8NJntJE08RNRLsFgjlXx1075BofkuX5gNEmORta9BDjr8oGBEjOqhufHBPKek1XMIkF6XtpbQYyYVDIajhR2GLaBs1MuED-w9L4z0QgDciWMICa26MjvA6TFtNgdWAI0g-PSM4K4p_VWbRuMCZKpQMW5R7FzZijmMzrpwEpoF46ZDqs6Im4yP28Q3K6zGWtyhCDejWvJJBp41glvrPxCPRXXN1AwIpeehYowQ9tXRNixI2Y6O98gsL9WhvuzJ3k18NKsdNJyyZYsw/https%3A%2F%2Fwww.zonemaster.fr%2Fresult%2Ff9fcceaef969aea1 >DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with >tag 16819 that the the DS record refers to. whereas DNSViz reports no such problem:- https://secure-web.cisco.com/1NmczRUDL0DlrOrYunRHl6wJHmUKBryN3ihM699EJjwZJ1IXSScC22u56YYV2B7gBxl__VGloyEGvF3aFlr6_yPcN5M9zLXw0hCrjsxXpvyecbZFu5zcvKLOPfpgzeJp2S26td9Cm98etXq5ak8PpXzPGEkzmrZYdov9P9D05-Cq43yydBIR_Nojt51IEoMBHyr8v2G56HqUNAnY6eGg_OGaWwvNhWenOCQe69ktcj79O-UcWfOG_EDFcvbdL5mjDYv7UH8rZ2dSBtWgiFSQV3Qb_-owIvXPh8eb0vFGtvD4/https%3A%2F%2Fdnsviz.net%2Fd%2Flaw%2FYeEwEg%2Fdnssec%2F Looking visually at the DNSViz output, the KSK 16819 does look strange as it is referenced by a DS but does not sign anything. Out of interest, do folks think this is a valid configuration? Best wishes, Matthew _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
