<div dir="ltr">So many useful tips, thank you all. <div><br></div><div><a href="http://gu.edu">gu.edu</a> is, luckily, a test domain, and not production. I had enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn that after a while keys are rolled over and I need to do some work about it.... It makes DNSsec easy, but not that easy....</div>
<div><br></div><div>Thanks,</div><div>Mohamed.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer <span dir="ltr"><<a href="mailto:bortzmeyer@nic.fr" target="_blank">bortzmeyer@nic.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, Jul 02, 2014 at 12:08:36PM +0100,<br>
Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote<br>
<div class=""> a message of 25 lines which said:<br>
<br>
> Your DS record doesn't match your DNSKEY records.<br>
<br>
</div>The OP could also use the excellent DNSviz:<br>
<br>
<a href="http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/" target="_blank">http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/</a><br>
<br>
which rightly says:<br>
<br>
<a href="http://gu.edu/DNSKEY:DS" target="_blank">gu.edu/DNSKEY:DS</a> RRs exist for algorithm(s) 7 in the edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the <a href="http://gu.edu" target="_blank">gu.edu</a> DNSKEY RRset.<br>
</blockquote></div><br></div>