> NSEC only DNSKEYs and NSEC3 chains not allowed That should've been worded or at least punctuated better. "NSEC-only DNSKEYs not allowed with NSEC3 chains", perhaps. It means you're using at least one DNSKEY with an algorithm that predates NSEC3, and therefore your zone can't have a valid NSEC3 chain. Use "dnssec-keygen -3" to generate your keys.
-- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
