AW: Deprecating auto-dnssec and inline-signing in 9.18+

Matthijs Mekking matthijs at
Wed Aug 11 07:32:57 UTC 2021

Hi Tim,

On 11-08-2021 04:19, Tim Daneliuk via bind-users wrote:
> On 8/10/21 7:32 PM, raf via bind-users wrote:
>> To get the DS record information to convey to the
>> registrar, after starting to use the default policy.
>> look for the CDS record (the child version of the DS
>> record) with dig:
>> For the default policy, you'll only have to do this
>> once (or until your server gets compromised and you
>> start again). But until you've done this, it's not
>> done. The trust chain has to go all the way to the
>> root, so you need the involvement of your registrar
>> (to get your DS published and signed).
> That's quite helpful, thanks, but still unclear about one
> thing.  When I run the dig command above I do get a result
> back with a "COOKIE" value in the response.  This value
> changes each time I run the dig.   Is any one of these the
> "DS record" I want to convey to my registrar?
> Other than this I see nothing that resembles  a relevant response AND
> the COOKIE field does not show up if I do the dig from outside the zone.

Cookies are a different thing, unrelated to DNSSEC:

More information about the bind-users mailing list