Configuring DNSSEC for child domains
Jaap Winius
jwinius at umrk.nl
Tue May 7 01:21:43 UTC 2013
Quoting Mark Andrews <marka at isc.org>:
>
> In message <5187C559.6040401 at sidn.nl>, "Marco Davids (SIDN)" writes:
>>
>> On 05/06/13 16:09, Jaap Winius wrote:
>> >
>> > This shows two DS records in the parent zone, one not secure and one
>> > bogus, and three DNSKEY records in the child zone, none of which are
>> > secure.
>>
>> Perhaps you could remove ns[12].transip.net from your NS-set and try
>> again? It seems as if these name servers are causing some problems.
>
> They are emitting malformed DS records. Hash algorithm
> 1 is only supposed to be 20 bytes long.
It looks like you and Marko are right. I changed a number of things
about how my site's DNS is configured, but the problems in question
seemed to remain until I was no longer using TransIP's name servers at
all. Now there are just a few small problems that may yet resolve
themselves after the latest changes have had more time to propagate.
Cheers,
Jaap
More information about the bind-users
mailing list