Hi all, first: deSEC offers really great services, thanks a lot!
My Problem in short:
On denic’s Nameserver Predelegation Check Webinterface I am entering the my Domain
wildwiesen.de, deSEC nameservers, and the pub DNSKEY and indeed I get the error:
Error 217: No visible DNSKEY found signing directly or indirectly the SOA RR obtained in response
Now, I am arguing with my web hoster and their registrar about who’s to blame for it. They insist, that it is a deSEC problem. Can you please explain what’s going wrong here and how to fix this?
For me, it looks as if they did not properly publish the DS records in the de zone, if I am checking with https://dnssec-analyzer.verisignlabs.com/wildwiesen.de.
Any help is highly appreciated.
Thanks for your message, and welcome to deSEC!
I am not sure what exactly the DENIC webinterface is checking (the DNSKEY is publicly visible, try
dig +short DNSKEY wildwiesen.de @188.8.131.52).
Your observation that the DS records are missing is also correct. This means that DNSSEC is not configured for your domains. Consequently, the DENIC check succeeds if no key is entered into the form.
So, I’m not sure why your web hoster / registrar is unable to publish the DS records. We host a large number of de domains, and we have not seen this problem before.
If you get more information from your provider about what exactly we need to change, do let us know!
Thank you once again. The error occurred on the registrar’s side, they fixed it. — It just took me a dozen emails to clarify.