KSK signing zone records
raf
bind at raf.org
Tue Aug 31 23:12:59 UTC 2021
On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews <marka at isc.org> wrote:
> The rules for what get signed by what are per algorithm. Additionally the
> SEP bit is hint to the signer as to what is desired. Named has controls to
> say whether to pay attention to the SEP bit or not. Additionally it will
> override those controls to pay attention to the SEP but if it believes that
> the zone won’t be correctly signed if it paid attention to the SEP bit.
>
> People have created zones where one algorithm has keys with and without the SEP
> bit for one algorithm but for a second algorithm there are only keys with (without)
> the SEP bit. If the signer has been told to honour the SEP bit then for the first
> algorithm it will be honoured and for the second algorithm the instruction will
> be overridden.
>
> See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of
> dnssec-policy.
Thanks.
cheers,
raf
More information about the bind-users
mailing list