What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone.
Regards, Chris Buxton > On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users > <bind-users@lists.isc.org> wrote: > > Signed PGP part > I've had an issue with my key rotation process on a couple of zones. I > believe I've resolved that issue but it appears to me in several cases > the KSKs rather than being used to sign the ZSK are being used to sign > the zone records directly. > > https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk= > > I've checked the Publication/Activation dates on the KSKs and they seem > to be right. The appropriate DS records should be available at the > parent zone. The keys in question are clearly type 257 KSKs. Is there > some kind of flag or something I need to add to the key to make it sign > the ZSKs rather than the records directly? > > I'm running bind 9.16.16. > > > -- > > Timothy A. Holtzen > Campus Network Administrator > Nebraska Wesleyan University > Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 > C30D > Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 > > >
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
