auto-dnssec maintain: KSK being used as a ZSK as well?

Kyle Brantley kyle at
Sat Dec 22 02:50:43 UTC 2012

On 12/21/2012 7:37 PM, Alan Clegg wrote:
> On Dec 22, 2012, at 12:42 PM, Evan Hunt <each at> wrote:
>>> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
>>> a(mother) ZSK.
>> You're thinking of "update-check-ksk".  "dnssec-dnskey-kskonly" tells
>> named not to use the ZSK when it signs the DNSKEY RRset, but it should
>> still use the ZSK (and not the KSK) for all the other data in the zone.
> Eh, yep.  Thanks for that catch, Evan.
> I think we may have found the problem "off-list" and it may be another thing for the signer to look into... more in a bit.
> AlanC

Aye. Thanks, Alan, for the help. The problem was that I was generating a 
RSASHA512 for my KSK, but I was using NSEC3RSASHA1 for my ZSKs. I 
generated a temporary ZSK that was also RSASHA512 to match my KSK and it 
is working great now.

Now to go decimate the entropy on my box for a bit to generate some more 
RSASHA512 keys...


More information about the bind-users mailing list