Thank you for your speedy response, Matthijs. On 7 Nov 2022, at 13:10, Matthijs Mekking wrote:
Ignore that, I saw too late there were attachments.
Perhaps I ought to have mentioned them explicitly.
Are you able to share the public key and key state files with me so I can investigate why BIND thinks the existing keys cannot be used?
Off list, and PGP-protected, yes. This will mean I'll end up having to change the parent DS RRs later on. That seems a reasonable cost for getting to the root of the problem. I have no key state files, except after starting named, and then only for the RSA/SHA-256 and **newly-generated** ECDSA keys. My current signing process uses ldns-signzone, which seems not to use such files.
Also, the log file looks like an excerpt.
No; that's everything named, as configured, writes.
A full debug (level 3) log would be useful too.
I'll set up for that, and follow up off list. Thanks and best regards, Niall
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
