> On 8 Mar 2024, at 10:54, Randy Bush <ra...@psg.com> wrote: > >> You DS and DNSKEY rrset are not matched. You >> need to publish the DS for the DNSKEY with key >> tag 3463. >> >> rg.net. 86256 IN DS 12391 8 2 >> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9 >> >> rg.net. 3463 IN DNSKEY 256 3 8 ( >> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV >> OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd >> tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB >> KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2 >> y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid >> bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0 >> ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad >> kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8= >> ) ; ZSK; alg = RSASHA256 ; key id = 43431 >> rg.net. 3463 IN DNSKEY 257 3 8 ( >> AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa >> 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU >> dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p >> g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko >> 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05 >> 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag >> 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b >> s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs= >> ) ; KSK; alg = RSASHA256 ; key id = 30790 >> rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 ( >> 20240321203948 20240307193948 30790 rg.net. >> OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l >> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 >> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl >> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD >> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts >> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd >> liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ >> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) >> >>> https://git.rg.net/randy/randy/src/master/scratch.md > > yes, we can see that, as we noted. and yes we could rekey 42 zones at > the parents; great fun. > > but WHY NOT? same key sets with opendnssec and inline-signing, we > think. > > randy
I can’t get to https://git.rg.net/randy/randy/src/master/scratch.md without installing a negative trust anchor or you fixing/removing the DS. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
