On 26-05-2022 11:05, Sandro wrote:
I'll take a look at the bug report in a minute.
Well, there are similarities between #2463 and my setup, but also differences.
In my case, all zones are signed, internal and external. I have one dnssec-policy defined in the options section, which is a verbatim copy of dnssec-policy.default with only one adjustment: zone-propagation-delay is set to 1h instead of 300s.
The internal view of penguinpee.nl is a dynamic primary zone. It receives zone updates from Kea DHCP Server. The external zone is a static primary zone, updated manually as needed.
Since they share the same key now, I could reconfigure the internal view and have BIND create a new key in a separate directory for that view. I could also define a separate policy for the internal view to see if that makes a difference. Probably one change at a time to nail this thing down.
Thank you, Matthijs, for pointing out the bug. Do you have any suggestion for what to try first, key separation or policy separation?
-- Sandro -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
