On Dec 22, 2012, at 9:52 AM, Kyle Brantley <[email protected]> wrote:
> # named.conf
> options {
> [...]
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-secure-to-insecure yes;
> dnssec-dnskey-kskonly yes;
> }
By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
a(mother) ZSK.
Don't do that. Also, unless you are planning on deleting the DNSKEY resource
records, get rid of the "secure-to-insecure" as well.
AlanC
--
Alan Clegg | +1-919-355-8851 | [email protected]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
