On 09/09/2018 19:51, Mark Elkins wrote: > Never assume a KeyID is unique. :-)
One of the DNSSEC RFCs specifically says that the KeyID is not meant to be unique. I can't remember which one, and it's too late on a Sunday evening to be reading RFCs :) Even then, I've had the misfortune of dealing with a vendor whose developers didn't read the RFCs properly, and designed their key store using the key IDs as indexes. So one fine day, we had a zone signed with one key, but the DS record came from another key. Boom. Yuck. What a mess it was to sort out! Regards, Anand _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users