Hi Your DS in .NET was missing at this point https://dnsviz.net/d/enfer-du-nord.net/aAeeOQ/dnssec/. So You did solve it the correct way. (If You do not use autoprovisioning as described in rfc8078 but i haven't found a way to do that in .NET TLD) I don't know how or why it was removed though but it is probably something that happened at Your registrar.
/Leif On Tue, Apr 22, 2025 at 4:46 PM Michael Grimm via knot-dns-users < [email protected]> wrote: > Hi, > > this happened to me for the second time, that https://dnsviz.net < > https://dnsviz.net/> tells me: > > | enfer-du-nord.net/CDNSKEY: The CDNSKEY RRset must be signed with a key > that is represented in both the > | current DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1. > > | enfer-du-nord.net/CDS: The CDS RRset must be signed with a key that is > represented in both the current > | DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1. > > I do not understand what that means. > > #) I haven't modified my KSK for some time now > #) I did notify my parent zone about a modified list of nameservers (via > registrar's web portal) > > I am not absolutely sure if the latter is the cause for these error > messages. > > I 'fixed' that issue by re-uploading my unmodified KSK DNSKEY (via > registrar's web portal). > > Hmm, how can I fix that issue the right way? > > Any hints are highly welcome, > Michael > > > -- >
--
