Forum Discussion
Cory_50405
Jun 03, 2014Noctilucent
I work for a federal government agency as well, and we're subject to the same processes. We have DNSSEC working for all of our domains and we don't publish DS records. The DS record is hosted by the parent, which in this case is dotgov.gov. If you are getting a response for a DS record for a .gov domain, it's likely coming from dotgov. Dotgov is probably saying they aren't finding a corresponding DNSKEY (vice a DS record) on your GTMs. Do you have your zones created with a KSK and ZSK assigned to them? If so, then there should be a DNSKEY in place.
https://grepular.com/Understanding_DNSSEC