On 12/21/2012 3:56 PM, Alan Clegg wrote:
On Dec 22, 2012, at 9:52 AM, Kyle Brantley <[email protected]> wrote:# named.conf options { [...] dnssec-enable yes; dnssec-validation yes; dnssec-secure-to-insecure yes; dnssec-dnskey-kskonly yes; }By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as a(nother) ZSK. Don't do that. Also, unless you are planning on deleting the DNSKEY resource records, get rid of the "secure-to-insecure" as well. AlanC
Initially I didn't have the directive in there at all and it was still doing this. I added it in to see if it would help resolve the problem. I've flipped it to no and resigned the zone... but it's still using the ZSK as a KSK. I also re-tried it without the directive at all, and it is still using the ZSK as a KSK.
re: secure-to-insecure: I'll be removing this statement once I get these keys working properly. At the moment, that's how I'm resigning the zone: delete the DNSKEY records via nsupdate and then re-add them.
--Kyle _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
