KSK signing zone records

Timothy A. Holtzen tah at NebrWesleyan.edu
Mon Aug 30 16:08:42 UTC 2021


I've had an issue with my key rotation process on a couple of zones.  I
believe I've resolved that issue but it appears to me in several cases
the KSKs rather than being used to sign the ZSK are being used to sign
the zone records directly.

https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk=

I've checked the Publication/Activation dates on the KSKs and they seem
to be right.  The appropriate DS records should be available at the
parent zone.  The keys in question are clearly type 257 KSKs.  Is there
some kind of flag or something I need to add to the key to make it sign
the ZSKs rather than the records directly?

I'm running bind 9.16.16. 


-- 

Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University
Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210830/aa86b062/attachment.bin>


More information about the bind-users mailing list