AW: Deprecating auto-dnssec and inline-signing in 9.18+

Tim Daneliuk tundra at
Wed Aug 11 02:19:33 UTC 2021

On 8/10/21 7:32 PM, raf via bind-users wrote:
> To get the DS record information to convey to the
> registrar, after starting to use the default policy.
> look for the CDS record (the child version of the DS
> record) with dig:
> For the default policy, you'll only have to do this
> once (or until your server gets compromised and you
> start again). But until you've done this, it's not
> done. The trust chain has to go all the way to the
> root, so you need the involvement of your registrar
> (to get your DS published and signed).

That's quite helpful, thanks, but still unclear about one
thing.  When I run the dig command above I do get a result
back with a "COOKIE" value in the response.  This value
changes each time I run the dig.   Is any one of these the
"DS record" I want to convey to my registrar?

Other than this I see nothing that resembles  a relevant response AND
the COOKIE field does not show up if I do the dig from outside the zone.

Tim Daneliuk     tundra at
PGP Key:

More information about the bind-users mailing list