<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:10.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">This is the expected state, this TLD is mid transition when this is complete the currently unused DS and DNSKEY will be used for signing. This is pre-publication of the new data.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Brett<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">--<br>
Brett Carr<br>
Manager DNS Engineering<br>
Nominet UK</span><span style="font-size:11.0pt">  <o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt">
<b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">dns-operations <dns-operations-bounces@dns-oarc.net> on behalf of Matthew Richardson <matthew-l@itconsult.co.uk><br>
<b>Date: </b>Friday, 14 January 2022 at 10:17<br>
<b>To: </b>dns-operations@dns-oarc.net <dns-operations@dns-oarc.net><br>
<b>Subject: </b>[dns-operations] TLD .law - non-signing KSK with referenced DS<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt">
<span style="font-size:11.0pt">Having been looking at .law following what looks like a slightly<br>
sub-optimal redelegation (now complete), I notice that Zonemaster is<br>
reporting DNSSEC issues:-<br>
<br>
<a href="https://secure-web.cisco.com/1h7hVcLKXZ_2MCfb5nzMY83oZbSxudk8NJntJE08RNRLsFgjlXx1075BofkuX5gNEmORta9BDjr8oGBEjOqhufHBPKek1XMIkF6XtpbQYyYVDIajhR2GLaBs1MuED-w9L4z0QgDciWMICa26MjvA6TFtNgdWAI0g-PSM4K4p_VWbRuMCZKpQMW5R7FzZijmMzrpwEpoF46ZDqs6Im4yP28Q3K6zGWtyhCDejWvJJBp41glvrPxCPRXXN1AwIpeehYowQ9tXRNixI2Y6O98gsL9WhvuzJ3k18NKsdNJyyZYsw/https%3A%2F%2Fwww.zonemaster.fr%2Fresult%2Ff9fcceaef969aea1">https://secure-web.cisco.com/1h7hVcLKXZ_2MCfb5nzMY83oZbSxudk8NJntJE08RNRLsFgjlXx1075BofkuX5gNEmORta9BDjr8oGBEjOqhufHBPKek1XMIkF6XtpbQYyYVDIajhR2GLaBs1MuED-w9L4z0QgDciWMICa26MjvA6TFtNgdWAI0g-PSM4K4p_VWbRuMCZKpQMW5R7FzZijmMzrpwEpoF46ZDqs6Im4yP28Q3K6zGWtyhCDejWvJJBp41glvrPxCPRXXN1AwIpeehYowQ9tXRNixI2Y6O98gsL9WhvuzJ3k18NKsdNJyyZYsw/https%3A%2F%2Fwww.zonemaster.fr%2Fresult%2Ff9fcceaef969aea1</a><br>
<br>
>DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with<br>
>tag 16819 that the the DS record refers to.<br>
<br>
whereas DNSViz reports no such problem:-<br>
<br>
<a href="https://secure-web.cisco.com/1NmczRUDL0DlrOrYunRHl6wJHmUKBryN3ihM699EJjwZJ1IXSScC22u56YYV2B7gBxl__VGloyEGvF3aFlr6_yPcN5M9zLXw0hCrjsxXpvyecbZFu5zcvKLOPfpgzeJp2S26td9Cm98etXq5ak8PpXzPGEkzmrZYdov9P9D05-Cq43yydBIR_Nojt51IEoMBHyr8v2G56HqUNAnY6eGg_OGaWwvNhWenOCQe69ktcj79O-UcWfOG_EDFcvbdL5mjDYv7UH8rZ2dSBtWgiFSQV3Qb_-owIvXPh8eb0vFGtvD4/https%3A%2F%2Fdnsviz.net%2Fd%2Flaw%2FYeEwEg%2Fdnssec%2F">https://secure-web.cisco.com/1NmczRUDL0DlrOrYunRHl6wJHmUKBryN3ihM699EJjwZJ1IXSScC22u56YYV2B7gBxl__VGloyEGvF3aFlr6_yPcN5M9zLXw0hCrjsxXpvyecbZFu5zcvKLOPfpgzeJp2S26td9Cm98etXq5ak8PpXzPGEkzmrZYdov9P9D05-Cq43yydBIR_Nojt51IEoMBHyr8v2G56HqUNAnY6eGg_OGaWwvNhWenOCQe69ktcj79O-UcWfOG_EDFcvbdL5mjDYv7UH8rZ2dSBtWgiFSQV3Qb_-owIvXPh8eb0vFGtvD4/https%3A%2F%2Fdnsviz.net%2Fd%2Flaw%2FYeEwEg%2Fdnssec%2F</a><br>
<br>
Looking visually at the DNSViz output, the KSK 16819 does look strange as<br>
it is referenced by a DS but does not sign anything.<br>
<br>
Out of interest, do folks think this is a valid configuration?<br>
<br>
Best wishes,<br>
Matthew<br>
_______________________________________________<br>
dns-operations mailing list<br>
dns-operations@lists.dns-oarc.net<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><o:p></o:p></span></p>
</div>
</div>
</body>
</html>