[knot-dns-users] Re: bitw signing as secondary

On Wed, 20 Mar 2024 11:20:36 -0700, Daniel Salzman wrote: daniel: < uncloaking so fok can probe externally. the zone is net.lb the server is rip.psg.com > so as to have as clear a test as i could, i # keymgr net.lb generate algorithm=rsasha256 ksk=yes zsk=yes 1986ca221483d75a1045ab51afa26d1f8b62e88d # knotc reload Reloaded # keymgr net.lb ds net.lb. DS 8389 8 2 194b6f4571058ec4a39e13bd24159dd1d93242a60a23a8ea6a346c9b6ac8f3c5 net.lb. DS 8389 8 4 ec5c1a343a710fb0488bea3fbd2d49b82ffe520d0ec8234d56fcd3c7f92229f5c675806353e7a16d88985ca6f77f290c < put the DSs in the parent, lb, zone file > # knotc zone-reload tld OK no log warnings, at least not yet i did a knotc zone-refresh net.lb to see if i could provke whining. nope. https://dnssec-analyzer.verisignlabs.com for the net.lb says None of the 1 RRSIG and 2 DNSKEY records validate the NSEC RRset The NSEC RRset was not signed by any trusted keys Found DNSKEY, but no RRSIG, for algorithm 13 No NSEC record could prove that no records of type A for net.lb exist Found 1 RRSIGs over SOA RRset None of the 1 RRSIG and 2 DNSKEY records validate the SOA RRset dataviz, https://dnsviz.net/d/net.lb/dnssec/, paints a sad picture, if one is into graphics randy