[dns-operations] Both KSK & ZSK signing DNSKEY records

Phil Pennock dnsop+phil at spodhuis.org
Mon Mar 18 02:09:18 UTC 2013

Been meaning to check: is there any downside, beyond extra bandwidth
conveying extra signatures, to the DNSKEY records in a zone having been
signed by _both_ the KSKs and the ZSKs?

I noticed on Sandia's display tool:
that this is happening, and it's not happening on, eg, psg.com, so my
assumption is that this is an artifact of Bind inline signing.

"dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
from 43854 (KSK) and 56225 (ZSK).

Did I do something wrong?

It seems harmless, beyond the extra payload in responses pushing up
packet sizes.


More information about the dns-operations mailing list