9.9.0b2 Key Expiration Question
Paul Wouters
paul at xelerance.com
Thu Dec 1 20:30:15 UTC 2011
On Thu, 1 Dec 2011, Chris Thompson wrote:
> I think that because you have told it to inactivate and indeed delete both
> ZSKs, in desperation it has signed the whole zone with the the only remaining
> key, even though it has the SEP bit set.
The SEP bit does not mean "do not sign zone data". It means "this is a trust
anchor and can be configured in the parent or elsewhere (DLV, local resolver)".
Of course, normally, with a KSK and ZSK, the KSK is the SEP key, and it does not
sign the zone data.
Paul
More information about the bind-users
mailing list