On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote: > The new key does not sign the DNSKEY RRset. [...] > Make sure the DNSKEY RRset is signed with the new key then try to > add the DS record to the parent.
It's intentionally not being used for signing; it's published but not yet activated. We've been doing pre-publish key rollover since we deployed dnssec, I don't think there's any requirement that a DS record point to a key actually in use for signing, just to one that exists in the zone? Thanks... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
