[Opendnssec-user] Signature expiration and emtpy non-terminal domains

[Johan.Bergstrom at tieto.com]

Hello.

After a domain's signatures expired, and was later replaced with a newly signed domain with fresh signatures we started getting validation problems on empty non-terminal subdomains, which haven't had any DS records previously.

I had to solve it by moving the subdomain out and delegating NS/DS records from parent.

I am not sure if this is OpenDNSSEC related or if it's something fishy in DNSSEC in general, but I cannot find any clue to why it was working before sig. expiration, and not when sig's were replaced with active ones again.

Any ideas?

Should I start moving out all my empty non-terminal domains to separate subdomains with proper delegations, or is this some bug, and should this work as I thought it would?

Hälsningar / Best regards,

Johan Bergström, Unix/Linux architect

Tieto Sweden AB
email johan.bergstrom at tieto.com, direct +46 (0)10 481 1856, mobile +46 (0)70 531 0269
Fjärde Bassängvägen 15, SE-11583, Stockholm, www.tieto.com

Please note: The information contained in this message may be legally privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorised use, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank You.

Please consider the environment before printing this e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121217/3cb00206/attachment.htm>