Configuring DNSSEC for child domains

Jaap Winius jwinius at
Tue May 7 01:21:43 UTC 2013

Quoting Mark Andrews <marka at>:
> In message <5187C559.6040401 at>, "Marco Davids (SIDN)" writes:
>> On 05/06/13 16:09, Jaap Winius wrote:
>> >
>> > This shows two DS records in the parent zone, one not secure and one
>> > bogus, and three DNSKEY records in the child zone, none of which are
>> > secure.
>> Perhaps you could remove ns[12] from your NS-set and try
>> again? It seems as if these name servers are causing some problems.
> They are emitting malformed DS records.  Hash algorithm
> 1 is only supposed to be 20 bytes long.

It looks like you and Marko are right. I changed a number of things  
about how my site's DNS is configured, but the problems in question  
seemed to remain until I was no longer using TransIP's name servers at  
all. Now there are just a few small problems that may yet resolve  
themselves after the latest changes have had more time to propagate.



More information about the bind-users mailing list