On 19.2. 2022 10:54, Nick Cao via dns-wg wrote:
Strangely, after leaving everything as-is for a day, the rollover has
been completed automatically. Guess that it was the mechanism
documented in
https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns#4--automated-update-of-dnssec-delegations
taking effect. However, the same checks would have been applied to
this procedure, or was the system using another instance of zonemaster
or other software?
Hello Nick,
this was indeed automated update of DS records based on CDS records
published in your zone. Since this updater works by using RIPE NCC's
superpowers to edit database objects on your behalf, these superpowers
also override (or, to be precise, skip) the Zonemaster check. This is
generally safe as the updater do all the checks prescribed by RFC 7344.
Right now this is really the only way how to automatically upgrade to
the newest DNSSEC algorithms which are not supported by the current
version of Zonemaster. Unfortunately I cannot tell you anything about
why is Zonemaster still not upgraded but hopefully some of my colleagues
will do.
--
Best regards,
Ondřej Caletka
RIPE NCC
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
