Hi Matthijs,
The zone was not signed before. I enabled DNSSEC by adding the
'dnssec-policy'. I will send you the requested files off list.
Thank you,
Daniel
On 23.12.20 11:39, Matthijs Mekking wrote:
> Hi Daniel,
>
> This zone was signed before, prior to switching to 'dnssec-policy'? Or
> did
Hi Daniel,
This zone was signed before, prior to switching to 'dnssec-policy'? Or
did you enable DNSSEC by adding 'dnssec-policy'?
If you have them, would you be able to share with me (off list) the logs
and the key (state) files?
- Matthijs
On 23-12-2020 10:47, Daniel Stirnimann wrote:
Hello Matthijs,
I'm testing with version 9.16.9.
Ok, I'm more confused now.
For the current key rollover the DNSKEY RRset is not signed with both
the old key 6207 and the new key 15769 but only with the new key 15769.
The domain is now bogus:
https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
rnd
Hi Daniel,
With which specific 9.16 version are you testing? The first versions
used an unsafe time based rollover, assuming the DS would be published
withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
-checkds" was introduced to tell BIND 9 that the DS for a given key has
been
4 matches
Mail list logo
