On a domain I recently set up to use DNSSEC with deSEC NS, DNSViz shows a warning to the effect that the CDS records published by deSEC don’t match the actual DS record.
Technically this is true because there is only one DS record but 2 CDS records, one of which matches the DS record. So the second one is the difference. The two differ in the digest type used. The one with digest type 2 (SHA-256) corresponds to the DS record, while the one with digest type 4 (SHA-384) has no match.
Note: My registrar wanted the fields of the DNSKEY to set this up, not the DS record(s). And the TLD also displays the DNSKEY in the whois reply next to the NS glue entries, not the DS record. Other TLDs may handle this differently.
I am assuming this DNSViz warning can be ignored, correct?
Even the deSEC web interface only shows a single DS record (with digest type 2) in the Info box for the Zone after a change some time ago.
Does it make sense to keep publishing both CDS records?
Thanks!
fiwswe
Created an