22 Dub
2025
22 Dub
'25
17:24
On Tue, Apr 22, 2025 at 04:45:43PM CEST, Michael Grimm via knot-dns-users
<knot-dns-users(a)lists.nic.cz> said:
Hi,
this happened to me for the second time, that https://dnsviz.net
<https://dnsviz.net/> tells me:
| enfer-du-nord.net/CDNSKEY: The CDNSKEY RRset must be signed with a key that is
represented in both the
| current DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1.
| enfer-du-nord.net/CDS: The CDS RRset must be signed with a key that is represented in
both the current
| DNSKEY and the current DS RRset. See RFC 7344, Sec. 4.1.
I do not understand what that means.
#) I haven't modified my KSK for some time now
#) I did notify my parent zone about a modified list of nameservers (via registrar's
web portal)
I am not absolutely sure if the latter is the cause for these error messages.
I 'fixed' that issue by re-uploading my unmodified KSK DNSKEY (via
registrar's web portal).
Hmm, how can I fix that issue the right way?
Any hints are highly welcome,
Michael
I only have a CDS key in my zone when there is a KSK rollover. The CDS contains the data
you should
add as DS in the parent zone.
I never checked its signature, I setr up knot to check the DS publication, and the CDS
disappear once the new DS is published.
--
Erwan David