Spurious DNSKEY records on slave

Alan Clegg alan at clegg.com
Thu Aug 18 18:04:42 UTC 2016

On 8/18/16 1:29 PM, Jim Fenton wrote:

> The extra DNSKEY records were not present in the zone file of the master
> server, so I reinitiated a zone transfer and this did not help. I
> checked the signed zone file on the master with named-checkzone and only
> the desired DNSKEY records were there.

Had your slaves done a successful zone transfer of the newly signed
data?  How did you check to see that the DNSKEYs were actually there?

Remember that the text versions of the zone files on slaves are only
updated about every 15 minutes, so you may have been looking at "stale"
data that was only in the human readable version.  If you did a "dig
@ zone DNSKEY" while logged into the slave, you would know for
certain what was being served.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160818/e664b57c/attachment.bin>

More information about the bind-users mailing list