Hm, seems I need to follow up on my own posting, as I see that all the three "bad" zones have *two* NSEC3PARAM records:
255.39.128.in-addr.arpa. 0 IN NSEC3PARAM 1 0 5 45F39B9A60C14581 255.39.128.in-addr.arpa. 0 IN NSEC3PARAM 1 0 5 D9E0ED2449E3721D while the good one only has one: 255.39.128.in-addr.arpa. 0 IN NSEC3PARAM 1 0 5 45F39B9A60C14581 I bet that's what's causing BIND's dnssec-verify to balk at the "bad" zones. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
