On 19.2. 2022 10:54, Nick Cao via dns-wg wrote:
Strangely, after leaving everything as-is for a day, the rollover has been completed automatically. Guess that it was the mechanism documented in https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns#... taking effect. However, the same checks would have been applied to this procedure, or was the system using another instance of zonemaster or other software?
Hello Nick, this was indeed automated update of DS records based on CDS records published in your zone. Since this updater works by using RIPE NCC's superpowers to edit database objects on your behalf, these superpowers also override (or, to be precise, skip) the Zonemaster check. This is generally safe as the updater do all the checks prescribed by RFC 7344. Right now this is really the only way how to automatically upgrade to the newest DNSSEC algorithms which are not supported by the current version of Zonemaster. Unfortunately I cannot tell you anything about why is Zonemaster still not upgraded but hopefully some of my colleagues will do. -- Best regards, Ondřej Caletka RIPE NCC