problem registering DS records with EDUCAUSE, sanity check please
Paul B. Henson
henson at acm.org
Tue Jul 15 00:49:23 UTC 2014
On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
> The new key does not sign the DNSKEY RRset.
[...]
> Make sure the DNSKEY RRset is signed with the new key then try to
> add the DS record to the parent.
It's intentionally not being used for signing; it's published but not yet
activated. We've been doing pre-publish key rollover since we deployed
dnssec, I don't think there's any requirement that a DS record point to
a key actually in use for signing, just to one that exists in the zone?
Thanks...
More information about the bind-users
mailing list