I see two DNSKEY RRSIGs. If the zones are signed by Knot, there should be just
one RRSIG for DNSKEY.
Try `knotc zone-sign` to see if it removes the defective signatures.
Daniel
On 6/13/24 21:34, Randy Bush wrote:
we are still chasing one anomaly
zones (LR, LB, PSG.COM, ....) have the one RRSIG, but
DNSSEC02 Error
The DNSKEY RRset is signed with an RRSIG with tag 3842 which cannot be validated by
the matching DNSKEY. Fetched from the nameservers with IP addresses "105.16.115.1;
105.16.170.1; 139.84.235.208; 158.38.0.181; 185.91.97.18; 2001:700:0:503::aa:5302;
2a01:3f0:0:306::53; 2a05:e380:2:4::2; 2a05:f480:3000:205f:5400:4ff:fea4:e565;
2c0f:feb0:2:1::1:8001; 2c0f:feb0:c:1::1:1; 77.72.229.254".
DNSSEC08 Error
The DNSKEY RRset is signed with an RRSIG with tag 3842 which cannot be validated by
the matching DNSKEY. Fetched from the nameservers with IP addresses "105.16.115.1;
105.16.170.1; 139.84.235.208; 158.38.0.181; 185.91.97.18; 2001:700:0:503::aa:5302;
2a01:3f0:0:306::53; 2a05:e380:2:4::2; 2a05:f480:3000:205f:5400:4ff:fea4:e565;
2c0f:feb0:2:1::1:8001; 2c0f:feb0:c:1::1:1; 77.72.229.254".
randy
--
