do not stupidly delete ZSK files

David Newman dnewman at
Thu Jul 30 23:47:03 UTC 2015

On 7/30/15 10:37 AM, Evan Hunt wrote:
> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote:
>> After that second procedure (and also chown'ing the keyfiles to the bind
>> user), the command 'dig +dnssec +multi dnskey' gives
>> different results depending on which nameserver gets the query:
>> Hidden primary (not authoritative for this zone): Key still in zone
> ... sorry, I'm confused. Which of the servers is doing the signing?

This hidden primary nameserver does the signing. The zones I've created
list only the secondary nameservers -- the ones that get zone transfers
from this hidden primary -- as authoritative.

Most zones have four authoritative nameservers, only one of which I
manage. Of the three I don't manage, I'm pretty sure at least two have
no DNSSEC-specific configuration -- a hint that any DNSSEC records they
serve come from this hidden primary.

Make sense? If not, please let me know what other info you need.


More information about the bind-users mailing list