<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>(Seems I can't reply directly to the author)<br>
</p>
<p>$ dig covisp.net ds<br>
; <<>> DiG 9.11.2-P1 <<>> covisp.net ds<br>
...<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
21696<br>
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 1<br>
...<br>
;; ANSWER SECTION:<br>
covisp.net. 86352 IN DS 1 7 1
E59B549EC68D577C44A4E13542257CA44FE21970<br>
covisp.net. 86352 IN DS 2 7 2
051033AF1BC909BE73FCFE4B59B1BDD2B8D7F8BF7BD840174AC1DEF7 14895D02<br>
<br>
</p>
<p>Umm... this initially looks great but something is seriously
strange. The first numerical value after DS should be the Key ID
(or Key Tag). I really doubt that you would (randomly) create two
different DNSKEY records with sequential Key-ID's (Tags) starting
from "1"... its usually a relatively random value between 1 and
2^16<br>
<br>
Also as an aside - many people are no longer putting the SHA-1
Digest type DS record in their parent, just the longer (more
secure?) SHA-256 (Digest Type 2) record.</p>
<p>As the root uses Algorithm 8 - many people also use algorithm 8 -
you are using algorithm 7. Algorithm roll-overs are a pain so if
you can - move straight to 8.<br>
</p>
I also can not detect a DNSKEY in your zone?<br>
dig covisp.net dnskey +cd<br>
...gives your SOA.<br>
Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.<br>
<br>
Adding DS records into your parent should be the last part of the
process in securing your Zone with DNSSEC.<br>
<br>
I really think you need to start over. What are you using to sign
your zone with? Maybe I can help.<br>
Take a look at <a class="moz-txt-link-freetext"
href="https://dnssec.co.za">https://dnssec.co.za</a><br>
<br>
<div class="moz-cite-prefix">On 09/09/2018 08:59 PM, LuKreme wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EFAE9767-7646-4A28-A2D1-45A29C577943@kreme.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>
<div>
<div dir="ltr">
<div><font color="#000000"><span style="caret-color: rgb(0,
0, 0); background-color: rgba(255, 255, 255, 0);">On
Sep 8, 2018, at 10:21, Mark Elkins <<a
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>>
wrote:<br>
</span></font></div>
</div>
<blockquote type="cite">
<div dir="ltr"><font color="#000000"><span
style="caret-color: rgb(0, 0, 0); background-color:
rgba(255, 255, 255, 0);">Have you DNSSEC Signed your
Domain - that is "<a href="http://covisp.net"
moz-do-not-send="true">covisp.net</a>" because I<br>
don't see any DS records for it in the "net" zone.</span></font></div>
</blockquote>
<br>
</div>
</div>
I think I have everything set now and am hopping the two errors I
have about validation are a matter of waiting for hover to
propagate.
<div><br>
</div>
<div>“<span style="background-color: rgba(255, 255, 255, 0);">None
of the 2 DNSKEY records could be validated by any of the 2 DS
records”</span><br>
<br>
Thanks for all your help. We'll see if I still show this as
broken tomorrow.</div>
<div><br>
</div>
<div>
<div id="AppleMailSignature" dir="ltr">--
<div>My main job is trying to come up with new and innovative
and effective ways to reject even more mail. I'm up to about
97% now.</div>
</div>
<div dir="ltr"><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Mark James ELKINS - Posix Systems - (South) Africa
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: <a class="moz-txt-link-freetext" href="https://ftth.posix.co.za">https://ftth.posix.co.za</a>
</pre>
</body>
</html>