Switching to a different dnssec-policy broke my zone.
Matthijs Mekking
matthijs at isc.org
Wed Nov 22 12:48:54 UTC 2023
This should be possible.
Please file a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new
Mention the version used and describe the steps how to reproduce.
Best regards,
Matthijs
On 11/22/23 13:20, Björn Persson wrote:
> My zone was previously signed with a KSK and a ZSK with unlimited
> lifetime. I switched the zone over to a dnssec-policy using CSKs and
> automatic key rotation. After the DS record was updated, most of the
> RRSIG records were removed, leaving the zone broken to validating
> resolvers.
>
> Am I not supposed to do that, or is this a known bug, or do I need to
> spend the time to write a detailed bug report?
>
> Björn Persson
>
>
More information about the bind-users
mailing list