On 3/5/20 5:26 AM, Tony Finch wrote: > I think those errors from dnssec-verify look to me like you have an > RSASHA256 KSK and an RSASHA1 ZSK. Your key files should all have names > like K*+008+* not K*+005+*. In older versions of BIND it's easy to > accidentally get a bad key by forgetting the -a option to dnssec-keygen.
That sounds like a likely scenario actually > (BTW I prefer to talk about "keys" when I have the files with both the > public and private parts, and only talk about DNSKEYs when I'm referring > to the public parts published in zone files.) Seems reasonable, thanks
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
