AW: Deprecating auto-dnssec and inline-signing in 9.18+
Tim Daneliuk
tundra at tundraware.com
Wed Aug 11 02:19:33 UTC 2021
On 8/10/21 7:32 PM, raf via bind-users wrote:
> To get the DS record information to convey to the
> registrar, after starting to use the default policy.
> look for the CDS record (the child version of the DS
> record) with dig:
>
> dig CDS EXAMPLE.ORG
>
> For the default policy, you'll only have to do this
> once (or until your server gets compromised and you
> start again). But until you've done this, it's not
> done. The trust chain has to go all the way to the
> root, so you need the involvement of your registrar
> (to get your DS published and signed).
That's quite helpful, thanks, but still unclear about one
thing. When I run the dig command above I do get a result
back with a "COOKIE" value in the response. This value
changes each time I run the dig. Is any one of these the
"DS record" I want to convey to my registrar?
Other than this I see nothing that resembles a relevant response AND
the COOKIE field does not show up if I do the dig from outside the zone.
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the bind-users
mailing list