Thanks Daniel for your helpful answers. Yes, CDS is also something I always wanted to try, but as usual: no hard pressure, no time... ;-)
Benoît Panizzon wrote:
From their point of view, my 'algo 5' .ch domains have still DNSSEC active
Basically the same behavior I had with my 'algo 7' domains (infomaniak).
but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back.
I did not even try to delete/disable DNSSEC, I was just able to update the existing record (key/algo/hash). Then the update towards the registry was carried out immediately, seems the old values do not matter then. Cannot tell whether that works with Gandi though.
Maybe option #3 besides the nerd and normal answers and worth a try?
Gruass, Franco
On 01.05.23 17:11, Benoît Panizzon via swinog wrote:
Hi Daniel
The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name.
Yes, trying to understand, how I correctly get rid of my old RRSIG entries without shooting myself in the foot, I came across this whole new dnssec-policy and automatic publishing CDS records via Bind.
Not sure if I have yet fully understood the mechanics. But I have tentatively set it up now and I'll see, if this somehow, by the magic of the internet, caused my DS entries to get refreshed.