getting two rrsigs for dnskey after ksk rollover
Tony Finch
dot at dotat.at
Thu Sep 21 10:23:17 UTC 2017
> On 20 Sep 2017, at 15:32, rams <bramesh80 at gmail.com> wrote:
>
> We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK rollover. Is it correct we are returning two RRSIGs for DNSKEY?
Yes :-)
There are multiple ways to do a KSK rollover: you are doing a double-KSK rollover. The full explanation is in RFC 7583 which I strongly recommend you read (it is not too scary) - the tools are still not robust enough to save you from mistakes.
https://tools.ietf.org/html/rfc7583#section-2.2
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170921/36dd8bfa/attachment.html>
More information about the bind-users
mailing list