> On 20 Sep 2017, at 15:32, rams <brames...@gmail.com> wrote: > > We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK > rollover. Is it correct we are returning two RRSIGs for DNSKEY?
Yes :-) There are multiple ways to do a KSK rollover: you are doing a double-KSK rollover. The full explanation is in RFC 7583 which I strongly recommend you read (it is not too scary) - the tools are still not robust enough to save you from mistakes. https://tools.ietf.org/html/rfc7583#section-2.2 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
