Testing KASP, CDS, and .ch

John W. Blue john.blue at rrcic.com
Fri Apr 9 20:21:33 UTC 2021

Sorry .. clicked send too soon.

Found this via google:


"You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry."

So it looks like the owner of domainmail.ch must get the DS from Gandi???  I wouldn't know how that would work exactly but clearly a conversation is needed with Gandi.

Good hunting.


-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jim Popovitch via bind-users
Sent: Friday, April 09, 2021 2:12 PM
To: bind-users at lists.isc.org
Subject: Re: Testing KASP, CDS, and .ch

On Fri, 2021-04-09 at 19:05 +0000, John W. Blue via bind-users wrote:
> So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870.
> Thus the DNSSEC breakage.

Of course, however there is no 22048 id in Gandi (the Registrar), yet it appears in .ch, and 17870 is still Active (as of this moment in time).  

What I can't figure out is how/when does .ch query the CDS/CDNSKEY data.

I know that I can make the domain validate by manually putting a
keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have
to do that, no?

-Jim P.

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users at lists.isc.org

More information about the bind-users mailing list