[dns-operations] What's wrong with my domain?

Brett Carr Brett.Carr at nominet.org.uk
Wed Jul 2 12:44:59 UTC 2014

It would seem bad that the DNSSEC Implementation in f5’s would complete a KSK rollover (IE remove the old key) without some confirmation that the DS had been seen in the parent.
Automation gone too far.


On 2 Jul 2014, at 12:56, Mohamed Lrhazi <ml623 at georgetown.edu<mailto:ml623 at georgetown.edu>> wrote:

So many useful tips, thank you all.

gu.edu<http://gu.edu/> is, luckily, a test domain, and not production. I had enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn that after a while keys are rolled over and I need to do some work about it.... It makes DNSsec easy, but not that easy....


On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr<mailto:bortzmeyer at nic.fr>> wrote:
On Wed, Jul 02, 2014 at 12:08:36PM +0100,
 Tony Finch <dot at dotat.at<mailto:dot at dotat.at>> wrote
 a message of 25 lines which said:

> Your DS record doesn't match your DNSKEY records.

The OP could also use the excellent DNSviz:


which rightly says:

gu.edu/DNSKEY:DS<http://gu.edu/DNSKEY:DS> RRs exist for algorithm(s) 7 in the edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the gu.edu<http://gu.edu/> DNSKEY RRset.

dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
dns-jobs mailing list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140702/5d7566de/attachment.html>

More information about the dns-operations mailing list