Been meaning to check: is there any downside, beyond extra bandwidth conveying extra signatures, to the DNSKEY records in a zone having been signed by _both_ the KSKs and the ZSKs?
I noticed on Sandia's display tool: http://dnsviz.net/d/spodhuis.org/dnssec/ that this is happening, and it's not happening on, eg, psg.com, so my assumption is that this is an artifact of Bind inline signing. "dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each from 43854 (KSK) and 56225 (ZSK). Did I do something wrong? It seems harmless, beyond the extra payload in responses pushing up packet sizes. Thanks, -Phil _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
