THEBACKUPBOX.NET

yadifa DNSSEC

unlike with bind,
you do NOT manually create your keys and tell yadifa where they are.
it isn't this obvious from the documentation.

https://github.com/isc-projects/isc-dnssec-guide/blob/master/src/troubleshooting_common-problems.xml

I was trying to use zsk and ksk at the same time but the checkers kept saying the dnssec rrset wasn't covered
by the keys I had in the DS records

I disabled ksk and it worked after that.

fuck if I know.

I re-enabled ksk and it is working.

it randomly stopped working one day. I figure it was key-rotation based.
I'm not sure if setting rotation schedule to insane (every minute I think) helped
but I did that, and found I had a second 257 key and so I ran a script to generate the stuff
for a new DS record and put that in to namecheap.
then the checkers I used bitched about the "old" key so I deleted that DS record
then deleted the key from /var/lib/yadifa/keys
and then had to restart unbound to get the cache cleared
and then dnssec was working again.
footer shit