AW: Deprecating auto-dnssec and inline-signing in 9.18+
Matthijs Mekking
matthijs at isc.org
Wed Aug 11 07:32:57 UTC 2021
Hi Tim,
On 11-08-2021 04:19, Tim Daneliuk via bind-users wrote:
> On 8/10/21 7:32 PM, raf via bind-users wrote:
>> To get the DS record information to convey to the
>> registrar, after starting to use the default policy.
>> look for the CDS record (the child version of the DS
>> record) with dig:
>>
>> dig CDS EXAMPLE.ORG
>>
>> For the default policy, you'll only have to do this
>> once (or until your server gets compromised and you
>> start again). But until you've done this, it's not
>> done. The trust chain has to go all the way to the
>> root, so you need the involvement of your registrar
>> (to get your DS published and signed).
>
>
> That's quite helpful, thanks, but still unclear about one
> thing. When I run the dig command above I do get a result
> back with a "COOKIE" value in the response. This value
> changes each time I run the dig. Is any one of these the
> "DS record" I want to convey to my registrar?
>
> Other than this I see nothing that resembles a relevant response AND
> the COOKIE field does not show up if I do the dig from outside the zone.
Cookies are a different thing, unrelated to DNSSEC:
https://datatracker.ietf.org/doc/html/rfc7873
More information about the bind-users
mailing list