do not stupidly delete ZSK files

David Newman dnewman at
Fri Jul 31 17:34:51 UTC 2015

On 7/31/15 4:33 AM, Tony Finch wrote:
> David Newman <dnewman at> wrote:
>> On 7/30/15 10:37 AM, Evan Hunt wrote:
>>> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote:
>>>> Hidden primary (not authoritative for this zone): Key still in zone
> I think what you mean here is that the hidden primary is not advertised in
> the zone's NS RRset. (Whether a server is authoritative for a zone or not
> depends on the server configuration, not the NS RRset.)
>> Most zones have four authoritative nameservers, only one of which I
>> manage. Of the three I don't manage, I'm pretty sure at least two have
>> no DNSSEC-specific configuration -- a hint that any DNSSEC records they
>> serve come from this hidden primary.
> The DNSSEC records come from the zone data like any other records. You
> don't need any special DNSSEC configuration to act as a secondary for a
> signed zone - it just works.
> I don't have any particular suggestions for your problem other than
> checking zone serial numbers and transfer logs carefully.

Thanks. For reasons passing understanding, that "bad key" was gone
queries against the hidden primary after a few hours. This is running
the same dig query as before, and with no other config changes to the

Unclear why the hidden primary ever returned that key after Evan's
instructions, but all is good now.

Thanks very much to everyone who responded.


More information about the bind-users mailing list