Context: BIND 9.8.3-P2 If dnssec-signzone is invoked with -S (smart signing), it examines keys in the key repository directory (-K) and selects only current keys for inclusion in the zone. That works well. It also generates DS records for the parent zone and lands them in a dsset file in (-d).
The behaviour of the dsset file generation appears to be unaffected by the smart signing switch (-S). The generated dsset file includes all KSK's found in the key repository (-K) irrespective of any timing metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted keys may remain in the key repository but the only way to exclude deleted KSK's from the dsset file seems to be to remove them from the key repository directory. Am I not driving this properly? Thank you. -- John Marshall _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
