do not stupidly delete ZSK files

Tony Finch dot at
Fri Jul 31 11:33:26 UTC 2015

David Newman <dnewman at> wrote:
> On 7/30/15 10:37 AM, Evan Hunt wrote:
> > On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote:
> >>
> >> Hidden primary (not authoritative for this zone): Key still in zone

I think what you mean here is that the hidden primary is not advertised in
the zone's NS RRset. (Whether a server is authoritative for a zone or not
depends on the server configuration, not the NS RRset.)

> Most zones have four authoritative nameservers, only one of which I
> manage. Of the three I don't manage, I'm pretty sure at least two have
> no DNSSEC-specific configuration -- a hint that any DNSSEC records they
> serve come from this hidden primary.

The DNSSEC records come from the zone data like any other records. You
don't need any special DNSSEC configuration to act as a secondary for a
signed zone - it just works.

I don't have any particular suggestions for your problem other than
checking zone serial numbers and transfer logs carefully.

f.anthony.n.finch  <dot at>
Viking, North Utsire, West South Utsire: Variable 3 or 4 becoming southerly or
southeasterly 4 or 5, occasionally 6 later. Slight or moderate. Showers. Good,
occasionally moderate.

More information about the bind-users mailing list