On 01.05.23 15:48, BenoƮt Panizzon via swinog wrote:
It looks like Gandi at least messed up their Registrar UI.
From their point of view, my 'algo 5' .ch domains have still DNSSEC active but deleting DS or disabling DNSSEC hangs forever and upon reloading my old algo 5 keys are back. I guess they perform some API calls to Switch and this fails, because both disagree on the DNSSEC status?
The nerd answer is that you can use Automated DNSSEC Provisioning [1] to enable DNSSEC. This also sends an EPP poll message to your registrar to update locally cached state information about a domain name. See also chapter 6.1 in our Automated DNSSEC Provisioning Guidelines [2]. I don't know if EPP poll messages have been used in the algo 5/7 removal procedure or if registrars received a list of affected domains and were instructed to refresh locally cached state. If the former and the domain state is still wrong then the registrar is not processing EPP poll messages.
The normal answer is that you should contact the registrar and ask him to refresh the domain.
Daniel
[1] https://www.nic.ch/de/security/cds/ [2] https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf