getting two rrsigs for dnskey after ksk rollover
dot at dotat.at
Thu Sep 21 10:23:17 UTC 2017
> On 20 Sep 2017, at 15:32, rams <bramesh80 at gmail.com> wrote:
> We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK rollover. Is it correct we are returning two RRSIGs for DNSKEY?
There are multiple ways to do a KSK rollover: you are doing a double-KSK rollover. The full explanation is in RFC 7583 which I strongly recommend you read (it is not too scary) - the tools are still not robust enough to save you from mistakes.
f.anthony.n.finch <dot at dotat.at> http://dotat.at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users