auto-dnssec maintain: KSK being used as a ZSK as well?
Alan Clegg
alan at clegg.com
Sat Dec 22 02:37:20 UTC 2012
On Dec 22, 2012, at 12:42 PM, Evan Hunt <each at isc.org> wrote:
>> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
>> a(mother) ZSK.
>
> You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells
> named not to use the ZSK when it signs the DNSKEY RRset, but it should
> still use the ZSK (and not the KSK) for all the other data in the zone.
Eh, yep. Thanks for that catch, Evan.
I think we may have found the problem "off-list" and it may be another thing for the signer to look into... more in a bit.
AlanC
--
Alan Clegg | +1-919-355-8851 | alan at clegg.com
More information about the bind-users
mailing list