The one place for your designs
To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.
problems with CDS / CDNSKEY consistency checks
I have a test zone with alg. 8 and alg. 13 keys.
I disabled the algorithm 8 ksk:
dnssec-settime -D now -I now Kfanf2.ucam.org.+008+25474.key
I forgot to delete the CDS record and forgot the ZSK.
-
first problem:
namedaccepted this change - the integrity checks did not work
Then named was restarted. It refused to load the zone because the consistency checks failed.
I tried to inspect the zone using named-compilezone because it is in "raw" format. This also failed because of the consistency checks.
-
second problem:
named-compilezonedoes not have an option to disable the CDS consistency checks -
third problem:
namedalso does not have an option to disable the CDS consistency checks
Consequence: I was not able to fix the zone without editing BIND's source code to disable the consistency checks.