KSK signing zone records

Chris Buxton clists at buxtonfamily.us
Mon Aug 30 17:13:05 UTC 2021


What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone.

Regards,
Chris Buxton

> On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users <bind-users at lists.isc.org> wrote:
> 
> Signed PGP part
> I've had an issue with my key rotation process on a couple of zones.  I
> believe I've resolved that issue but it appears to me in several cases
> the KSKs rather than being used to sign the ZSK are being used to sign
> the zone records directly.
> 
> https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk=
> 
> I've checked the Publication/Activation dates on the KSKs and they seem
> to be right.  The appropriate DS records should be available at the
> parent zone.  The keys in question are clearly type 257 KSKs.  Is there
> some kind of flag or something I need to add to the key to make it sign
> the ZSKs rather than the records directly?
> 
> I'm running bind 9.16.16.
> 
> 
> --
> 
> Timothy A. Holtzen
> Campus Network Administrator
> Nebraska Wesleyan University
> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210830/55ede8f8/attachment.bin>


More information about the bind-users mailing list