This should be possible. Please file a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new Mention the version used and describe the steps how to reproduce. Best regards, Matthijs On 11/22/23 13:20, Björn Persson wrote:
My zone was previously signed with a KSK and a ZSK with unlimited lifetime. I switched the zone over to a dnssec-policy using CSKs and automatic key rotation. After the DS record was updated, most of the RRSIG records were removed, leaving the zone broken to validating resolvers. Am I not supposed to do that, or is this a known bug, or do I need to spend the time to write a detailed bug report? Björn Persson
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
