<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hello.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>After a domain’s signatures expired, and was later replaced with a newly signed domain with fresh signatures we started getting validation problems on empty non-terminal subdomains, which haven’t had any DS records previously.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I had to solve it by moving the subdomain out and delegating NS/DS records from parent.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I am not sure if this is OpenDNSSEC related or if it’s something fishy in DNSSEC in general, but I cannot find any clue to why it was working before sig. expiration, and not when sig’s were replaced with active ones again.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Any ideas?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Should I start moving out all my empty non-terminal domains to separate subdomains with proper delegations, or is this some bug, and should this work as I thought it would?<o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=EN-GB style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Hälsningar / Best regards, <o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><b><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Johan Bergström</span></b><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>, Unix/Linux architect<o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt'>Tieto Sweden AB</span></b><span style='font-size:10.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>email johan.bergstrom@tieto.com, direct +46 (0)10 481 1856, mobile +46 (0)70 531 0269<o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt'><span lang=SV style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Fjärde Bassängvägen 15, SE-11583, Stockholm, www.tieto.com</span><b><span lang=SV style='font-family:"Arial","sans-serif";color:black'><br><br></span></b><b><span lang=SV style='font-family:"Arial","sans-serif"'><o:p></o:p></span></b></p><p class=MsoNormal style='mso-line-height-alt:0pt'><span style='font-size:7.0pt'>Please note: The information contained in this message may be legally privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorised use, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank You.<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:0pt'><span style='font-size:7.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:7.0pt;color:#00B050'>Please consider the environment before printing this e-mail.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>