Re: auto-dnssec maintain: KSK being used as a ZSK as well?

Alan Clegg Fri, 21 Dec 2012 14:57:23 -0800

On Dec 22, 2012, at 9:52 AM, Kyle Brantley <k...@averageurl.com> wrote:


> # named.conf
> options {
>    [...]
>    dnssec-enable yes;
>    dnssec-validation yes;
>    dnssec-secure-to-insecure yes;
>    dnssec-dnskey-kskonly yes;
> }

By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as 
a(mother) ZSK.

Don't do that.  Also, unless you are planning on deleting the DNSKEY resource 
records, get rid of the "secure-to-insecure" as well.

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

Reply via email to