key signing

Alan Batie alan at
Tue Mar 10 22:39:52 UTC 2020

I've got a test domain that I thought I had all working, but noticed the
key signing key was missing, so I generated one and did an rndc loadkeys
to get things updated, then generated a ds record for it and uploaded
that to the registrar, however, it still shows broken, and when I look,
I see that the zone signing key 28998 is self-signed, rather than being
signed by the zsk 30841?  Am I misunderstanding something here?

keys/; This is a zone-signing key, keyid
28998, for
keys/; This is a key-signing key, keyid
30841, for

;; ANSWER SECTION:		3600	IN	DNSKEY	256 3 8
V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ;
ZSK; alg = RSASHA256 ; key id = 28998		3600	IN	RRSIG	DNSKEY 8 2 3600 20200409011715
20200310001715 28998
VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list