KSK signing zone records

Timothy A. Holtzen tah at NebrWesleyan.edu
Tue Aug 31 17:44:41 UTC 2021

I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384.  I
have one RSA KSK and one RSA ZSK.  In addition I have two ECDSA KSK and
two ECDSA ZSK.   The RSA KSK seems perfectly happy to sign the ECDSA
ZSKs.  And both the RSA and ECDSA ZSKs seem to be singing records
correctly.  It just seems to be the two newer ECDSA KSKs that instead of
signing the ZSKs are singing the domain records directly. 

Even more perplexing is that one of the domains seems to have fixed
itself.  Now all the KSKs for that domain are singing the ZSKs and the
ZSKs are signing the domain records.  But I've still got a couple of
other domains where it is doing it wrong.  Is there some kind of timeout
or maintenance that gets run automatically that might have fixed the
issue?  I've tried running an "rndc sign" command on the domains several

Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University
Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7

On 8/30/21 17:40, raf via bind-users wrote:
> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>> same algorithm, then both will be used to sign the entire zone.
>> Regards,
>> Chris Buxton
> Just out of curiosity, why is that?
> Isn't having the KSK sign the ZSK enough?
> What difference does the nature of the thing
> being signed make?
> cheers,
> raf
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210831/3e24ebf7/attachment.bin>

More information about the bind-users mailing list