<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
It would seem bad that the DNSSEC Implementation in f5’s would complete a KSK rollover (IE remove the old key) without some confirmation that the DS had been seen in the parent.
<div>Automation gone too far.</div>
<div><br>
</div>
<div>Brett</div>
<div><br>
<div>
<div>On 2 Jul 2014, at 12:56, Mohamed Lrhazi <<a href="mailto:ml623@georgetown.edu">ml623@georgetown.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">So many useful tips, thank you all.
<div><br>
</div>
<div><a href="http://gu.edu/">gu.edu</a> is, luckily, a test domain, and not production. I had enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn that after a while keys are rolled over and I need to do some work about
it.... It makes DNSsec easy, but not that easy....</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mohamed.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer <span dir="ltr">
<<a href="mailto:bortzmeyer@nic.fr" target="_blank">bortzmeyer@nic.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, Jul 02, 2014 at 12:08:36PM +0100,<br>
Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote<br>
<div class=""> a message of 25 lines which said:<br>
<br>
> Your DS record doesn't match your DNSKEY records.<br>
<br>
</div>
The OP could also use the excellent DNSviz:<br>
<br>
<a href="http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/" target="_blank">http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/</a><br>
<br>
which rightly says:<br>
<br>
<a href="http://gu.edu/DNSKEY:DS" target="_blank">gu.edu/DNSKEY:DS</a> RRs exist for algorithm(s) 7 in the edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the
<a href="http://gu.edu/" target="_blank">gu.edu</a> DNSKEY RRset.<br>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs mailing list<br>
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</blockquote>
</div>
<br>
</div>
</body>
</html>