On 9 Sep 2018, at 14:58, Mark Elkins <m...@posix.co.za> wrote: > Umm... this initially looks great but something is seriously strange. The > first numerical value after DS should be the Key ID (or Key Tag). I really > doubt that you would (randomly) create two different DNSKEY records with > sequential Key-ID's (Tags) starting from "1"... its usually a relatively > random value between 1 and 2^16
Yes, that was a mistake in the configuration. > Also as an aside - many people are no longer putting the SHA-1 Digest type DS > record in their parent, just the longer (more secure?) SHA-256 (Digest Type > 2) record. Thanks, I keep that in mind. > As the root uses Algorithm 8 - many people also use algorithm 8 - you are > using algorithm 7. Algorithm roll-overs are a pain so if you can - move > straight to 8. And that. > I also can not detect a DNSKEY in your zone? > dig covisp.net dnskey +cd > ...gives your SOA. > Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL. Yes, I was in the midst of futzing with things at the time. > Adding DS records into your parent should be the last part of the process in > securing your Zone with DNSSEC. I've pulled the DNSSEC entirely for right now as there is still some research I need to do (things like renewal, automating the process for other domains, etc). -- "I've had a perfectly wonderful evening. But this wasn't it." - Groucho Marx _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
