On 03/08/2012 09:28, John Marshall wrote: > The behaviour of the dsset file generation appears to be unaffected by > the smart signing switch (-S). The generated dsset file includes all > KSK's found in the key repository (-K) irrespective of any timing > metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted > keys may remain in the key repository but the only way to exclude > deleted KSK's from the dsset file seems to be to remove them from the > key repository directory.
I have upgraded to BIND 9.9.1-P2 and see the same behaviour there as well. Unless I am missing something obvious, it seems that the only way to avoid having "dnssec-signzone -g" for a parent zone pick up stale DS records from dsset files generated by "dnssec-signzone -S" for the child zones is to remove deleted KSK's from the (-K) key repository directory prior to signing the child zones. -- John Marshall _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users