Forum Discussion
Thanks, but that doesn't really help me.
My problem is the dotgov register won't add the DS record to the .gov domain until a corresponding DS record exists in my domain. I know this isn't part of the RFC for DNSSEC but it's their rules and you either play by them or don't play at all. You can see this with a dig for DS records on any DNSSEC enabled .gov domain like dod.gov (see below) where the domain is responding for DS records pointing to itself. Whats I find odd is somewhere along the line F5 wrote specific code in to filter the DS record out of reply's when DNSSEC was enabled on a zone. I have found if I disable DNSSEC on a zone the F5 starts to return the DS record I have added to the backend Bind server but as soon as I enable it, it filters it out.
dig -t DS dod.gov +multiline
; <<>> DiG 9.8.3-P1 <<>> -t DS dod.gov +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51489 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;dod.gov.IN DS
;; ANSWER SECTION: dod.gov.3600 INDS 48556 8 1 ( D8938B65509FDA7C2459DD98B4F421533786990E ) dod.gov.3600 INDS 48556 8 2 ( 53EE8C50B46706B12735F88467DDAA3F5AE82913CE78 7681A5C5C10F4B63B9A4 )
;; Query time: 21 msec ;; SERVER: X.X.X.X53(172.29.0.10) ;; WHEN: Mon Jun 2 19:21:38 2014 ;; MSG SIZE rcvd: 109