[dns-operations] Both KSK & ZSK signing DNSKEY records
Evan Hunt
each at isc.org
Mon Mar 18 03:29:37 UTC 2013
On Sun, Mar 17, 2013 at 10:09:18PM -0400, Phil Pennock wrote:
> "dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
> from 43854 (KSK) and 56225 (ZSK).
>
> Did I do something wrong?
No, this is the default behavior. If you're using automatic signing,
you can override this by adding "dnssec-dnskey-kskonly yes;" to your
options statement. If you're using dnssec-signzone, you can override
it by using the -x flag.
> It seems harmless, beyond the extra payload in responses pushing up
> packet sizes.
Exactly so.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the dns-operations
mailing list