On 27-05-2022 15:59, Matthijs Mekking wrote:
Yes, I would recommend key separation (that is use a different key-directory per view).
I tried that, gracefully, by setting 'dnssec-policy' to insecure for the internal view. That gave me some issues. Probably, because I had already moved the key for the external view to a separate directory.
Anyway, I couldn't withdraw the original key from the internal view and reverted to the original setup: same key directory and same policy for both internal and external view of zone penguinpee.nl.
I am going to investigate your configuration more next week, to see if there is a hidden bug.
Thank you for looking into it. If there's anything I can do to assist, please let me know.
Right now, I have a bunch of RRSIG RRs that are about to expire some time on 1 June. One thing that caught my eye when I was poking around, is the output of 'rndc zonestatus. For the internal view I get a date in the future for 'next resign time'. For the external view, the date is in the past. Not sure if that's a tell tale sign.
-- Sandro -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users