[dns-operations] TLD .law - non-signing KSK with referenced DS

Matthew Richardson matthew-l at itconsult.co.uk
Fri Jan 14 10:09:04 UTC 2022


Having been looking at .law following what looks like a slightly
sub-optimal redelegation (now complete), I notice that Zonemaster is
reporting DNSSEC issues:-

https://www.zonemaster.fr/result/f9fcceaef969aea1

>DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with
>tag 16819 that the the DS record refers to.

whereas DNSViz reports no such problem:-

https://dnsviz.net/d/law/YeEwEg/dnssec/

Looking visually at the DNSViz output, the KSK 16819 does look strange as
it is referenced by a DS but does not sign anything.

Out of interest, do folks think this is a valid configuration?

Best wishes,
Matthew



More information about the dns-operations mailing list