auto-dnssec maintain: KSK being used as a ZSK as well?

Kyle Brantley kyle at
Sat Dec 22 02:24:42 UTC 2012

On 12/21/2012 6:42 PM, Evan Hunt wrote:
>> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
>> a(mother) ZSK.
> You're thinking of "update-check-ksk".  "dnssec-dnskey-kskonly" tells
> named not to use the ZSK when it signs the DNSKEY RRset, but it should
> still use the ZSK (and not the KSK) for all the other data in the zone.
> My guess is the ZSK is inaccessible (private key inactive, missing,
> or has permissions set so that named can't read it).  If named has an
> active KSK it can work with, but no ZSK is available, then it'll use the
> KSK for all data rather than let the zone go insecure.
> Running "dnssec-settime -p all <key>" on the ZSK will show you what the
> key timers are set to.  If the key's Activation date is in the future or
> the Inactive date is in the past, that's the problem.

I've double and triple checked these details, actually. named has access 
to the keys (validated both file permissions and selinux contexts) and 
the key metadata is fine with respect to timings. Additionally, the zone 
is being signed with both the KSK and the ZSK (which is my primary 
problem), so I know that the permissions and metadata are fine :)


More information about the bind-users mailing list