On 26-04-2022 14:25, Bjørn Mork wrote:
Matthijs Mekking <[email protected]> writes:What can you do to get it to "omnipresent"? Tell BIND that the DS is in the parent (only do so if it is true of course). You can run rndc dnssec -checkds published your.zone And it should update the keyfile. You should then see a "DsPublish" line in the state file and wait for DS TTL and parent propagation delay time to see the state switch to "omnipresent". If there are multiple keys eligible you need to specify the key id with "-key id".Thanks. Yes, that was the solution.
Glad to hear that worked.
Pretty obvious now that I know :-) We can view the initial bootstrapping as "half a KSK rollover". FWIW, I followed the dnssec-policy migration instructions at https://kb.isc.org/docs/dnssec-key-and-signing-policy , which also includes KSK rollover instructions. But I still didn't manage to put that puzzle together. Maybe you could include an explicit hint for those of us who are too slow to figure out these things by ourselves?
Makes sense to me. I have added a note at the end of the "Key states" section.
Best regards, Matthijs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
