> On 20 Sep 2017, at 15:32, rams <[email protected]> wrote: > > We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK > rollover. Is it correct we are returning two RRSIGs for DNSKEY?
Yes :-) There are multiple ways to do a KSK rollover: you are doing a double-KSK rollover. The full explanation is in RFC 7583 which I strongly recommend you read (it is not too scary) - the tools are still not robust enough to save you from mistakes. https://tools.ietf.org/html/rfc7583#section-2.2 Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
