I've had an issue with my key rotation process on a couple of zones. I believe I've resolved that issue but it appears to me in several cases the KSKs rather than being used to sign the ZSK are being used to sign the zone records directly.
https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk= I've checked the Publication/Activation dates on the KSKs and they seem to be right. The appropriate DS records should be available at the parent zone. The keys in question are clearly type 257 KSKs. Is there some kind of flag or something I need to add to the key to make it sign the ZSKs rather than the records directly? I'm running bind 9.16.16. -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 C30D Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
