On Thu, 1 Dec 2011, Chris Thompson wrote:
I think that because you have told it to inactivate and indeed delete both ZSKs, in desperation it has signed the whole zone with the the only remaining key, even though it has the SEP bit set.
The SEP bit does not mean "do not sign zone data". It means "this is a trust anchor and can be configured in the parent or elsewhere (DLV, local resolver)". Of course, normally, with a KSK and ZSK, the KSK is the SEP key, and it does not sign the zone data. Paul _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
