On Dec 22, 2012, at 12:42 PM, Evan Hunt <e...@isc.org> wrote: >> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as >> a(mother) ZSK. > > You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells > named not to use the ZSK when it signs the DNSKEY RRset, but it should > still use the ZSK (and not the KSK) for all the other data in the zone.
Eh, yep. Thanks for that catch, Evan. I think we may have found the problem "off-list" and it may be another thing for the signer to look into... more in a bit. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
