On 7/31/15 4:33 AM, Tony Finch wrote: > David Newman <dnew...@networktest.com> wrote: >> On 7/30/15 10:37 AM, Evan Hunt wrote: >>> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote: >>>> >>>> Hidden primary (not authoritative for this zone): Key still in zone > > I think what you mean here is that the hidden primary is not advertised in > the zone's NS RRset. (Whether a server is authoritative for a zone or not > depends on the server configuration, not the NS RRset.) > >> Most zones have four authoritative nameservers, only one of which I >> manage. Of the three I don't manage, I'm pretty sure at least two have >> no DNSSEC-specific configuration -- a hint that any DNSSEC records they >> serve come from this hidden primary. > > The DNSSEC records come from the zone data like any other records. You > don't need any special DNSSEC configuration to act as a secondary for a > signed zone - it just works. > > I don't have any particular suggestions for your problem other than > checking zone serial numbers and transfer logs carefully.
Thanks. For reasons passing understanding, that "bad key" was gone queries against the hidden primary after a few hours. This is running the same dig query as before, and with no other config changes to the server. Unclear why the hidden primary ever returned that key after Evan's instructions, but all is good now. Thanks very much to everyone who responded. dn _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
