On 7 Nov 2022, at 11:40, Niall O'Reilly wrote: > Preparation: > > - Set up minimal stand-alone instance of BIND9 named, > configured with a **dnssec-policy** for each algorithm, > matching properties of existing DNSSEC keys, and with > `lifetime unlimited`; > - Deliver current key files and recently-signed copy of > zone files to this instance.
I needed an additional stage of preparation, before delivering the key files; specifically, I needed to edit the .private files to 'Private-key-format: v1.3' and add missing lifecycle metadata. After doing this, named behaved exactly as expected. Thanks, Matthijs, for steering me in the right direction, and for being ready to give me additional help. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
