Your DS in .NET was missing at this point https://dnsviz.net/d/enfer-du-nord.net/aAeeOQ/dnssec/.

So You did solve it the correct way. (If You do not use autoprovisioning as described in rfc8078 but i haven't found a way to do that in .NET TLD)

I don't know how or why it was removed though but it is probably something that happened at Your registrar.

/Leif

On Tue, Apr 22, 2025 at 4:46 PM Michael Grimm via knot-dns-users <knot-dns-users@lists.nic.cz> wrote:

Hi,

this happened to me for the second time, that https://dnsviz.net <https://dnsviz.net/> tells me:

| enfer-du-nord.net/CDNSKEY: The CDNSKEY RRset must be signed with a key that is represented in both the
| current DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1.

| enfer-du-nord.net/CDS: The CDS RRset must be signed with a key that is represented in both the current
| DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1.

I do not understand what that means.

#) I haven't modified my KSK for some time now
#) I did notify my parent zone about a modified list of nameservers (via registrar's web portal)

I am not absolutely sure if the latter is the cause for these error messages.

I 'fixed' that issue by re-uploading my unmodified KSK DNSKEY (via registrar's web portal).

Hmm, how can I fix that issue the right way?

Any hints are highly welcome,
Michael

--