> NSEC only DNSKEYs and NSEC3 chains not allowed That should've been worded or at least punctuated better. "NSEC-only DNSKEYs not allowed with NSEC3 chains", perhaps. It means you're using at least one DNSKEY with an algorithm that predates NSEC3, and therefore your zone can't have a valid NSEC3 chain. Use "dnssec-keygen -3" to generate your keys.
-- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
