On Tue, Apr 22, 2025 at 04:45:43PM CEST, Michael Grimm via knot-dns-users <[email protected]> said: > Hi, > > this happened to me for the second time, that https://dnsviz.net > <https://dnsviz.net/> tells me: > > | enfer-du-nord.net/CDNSKEY: The CDNSKEY RRset must be signed with a key that > is represented in both the > | current DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1. > > | enfer-du-nord.net/CDS: The CDS RRset must be signed with a key that is > represented in both the current > | DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1. > > I do not understand what that means. > > #) I haven't modified my KSK for some time now > #) I did notify my parent zone about a modified list of nameservers (via > registrar's web portal) > > I am not absolutely sure if the latter is the cause for these error messages. > > I 'fixed' that issue by re-uploading my unmodified KSK DNSKEY (via > registrar's web portal). > > Hmm, how can I fix that issue the right way? > > Any hints are highly welcome, > Michael
I only have a CDS key in my zone when there is a KSK rollover. The CDS contains the data you should add as DS in the parent zone. I never checked its signature, I setr up knot to check the DS publication, and the CDS disappear once the new DS is published. -- Erwan David --
