Matthijs Mekking <matth...@isc.org> writes: > What can you do to get it to "omnipresent"? Tell BIND that the DS is > in the parent (only do so if it is true of course). You can run > > rndc dnssec -checkds published your.zone > > And it should update the keyfile. You should then see a "DsPublish" > line in the state file and wait for DS TTL and parent propagation > delay time to see the state switch to "omnipresent". > > If there are multiple keys eligible you need to specify the key id > with "-key id".
Thanks. Yes, that was the solution. Pretty obvious now that I know :-) We can view the initial bootstrapping as "half a KSK rollover". FWIW, I followed the dnssec-policy migration instructions at https://kb.isc.org/docs/dnssec-key-and-signing-policy , which also includes KSK rollover instructions. But I still didn't manage to put that puzzle together. Maybe you could include an explicit hint for those of us who are too slow to figure out these things by ourselves? Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
