> I see two DNSKEY RRSIGs. If the zones are signed by Knot, there should > be just one RRSIG for DNSKEY. Try `knotc zone-sign` to see if it > removes the defective signatures.
so our attempts at diagnosis indicate that the primary, running knot, and secondaries which run knot, return one RRSIG. secondaries running bind return two. we're digging further. randy --
