auto-dnssec maintain: KSK being used as a ZSK as well?

Kyle Brantley kyle at
Fri Dec 21 22:52:01 UTC 2012

I've generated a KSK as well as a ZSK and configured bind to maintain 
the keys.

# named.conf
options {
     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-secure-to-insecure yes;
     dnssec-dnskey-kskonly yes;


zone "" IN {
         type master;
         file "data/";
         allow-transfer { key inter-server-key; };
         update-policy {
                 grant local-ddns zonesub any;
         key-directory "keys/";
         auto-dnssec maintain;

However, when bind goes through and does the actual zone signing, it 
appears as if the KSK is signing the ZSK(s) and the actual zone data as 
well (see:

Am I missing something obvious here? I would like the KSK to sign just 
the ZSKs... but aside from setting dnssec-dnskey-kskonly (which I've 
done) I can't see anything that I'm missing here.

OS and bind versions:
# rpm -qa | grep bind
# uname -a
Linux 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012 
x86_64 x86_64 x86_64 GNU/Linux

Any help would be appreciated...

More information about the bind-users mailing list