Hi Martin, > I'm not sure how your DNS data are structured, but usually (properly) > DS record is located in parent zone, so AXFR for > subdomain.exmale.com should not return DS record, but AXFR > for example.com should return DS record of > subdomain.example.com.
Herein lies the problem. The nameservers are authoritative for both the parent and child zones, and both are replicated from the primaries to the secondary nameserver. The DS glue records for the child zone contained within the parent zone are not being replicated across to the secondary via AXFR. Thus there is a complete chain for DNSSEC trust when queries are directed at the primaries, but not when queries are directed at the secondary nameserver. This affects both the DS glue records, and also the apex DS records which don't need to be present, but which bind-dyndb-ldap makes available automatically anyway. I raise this not because it's needed, but it might be relevant to identifying where the root cause is. Regards, Ben Roberts -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
