DNSSEC and NSEC missing ZSK?
malz at jetlan.com
Tue Feb 9 23:19:31 UTC 2021
On 09/02/2021 10:47 pm, @ wrote:
> Well, I have finally ogttenteh test zone to the point where dnssec-verify is happy and everything that I can check also seems happy except dnsviz which is very very VERY angry and basically says the zone is entirely garabge. I am hoping this is a propagation issue, but I kind of doubt it since it should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think.
The easiest way to get help is to post your named.conf and zone file.
Obfuscating the configuration works against you, especially when you
have a limited understanding of DNSSEC.
DNSVIZ displays your current state very well. If its showing you
errors, then it requires you to act.
The query IPs DNSVIZ typically uses are:
So you can easily reconcile the DNSVIZ query, in real time, that
produced your data set.
The DS record propagation, at the registry level, should never take days
(no more than 15-30 minutes is my experience). You need to make sure
you have configured (or instructed the registry, per manual
intervention) the correct Algorithm (13) and the digest type (SHA256)
when you provide your Hash.
More information about the bind-users