[dns-operations] Both KSK & ZSK signing DNSKEY records

Evan Hunt each at isc.org
Mon Mar 18 03:29:37 UTC 2013

On Sun, Mar 17, 2013 at 10:09:18PM -0400, Phil Pennock wrote:
> "dig +dnssec -t dnskey spodhuis.org" shows two RRSIG records, one each
> from 43854 (KSK) and 56225 (ZSK).
> Did I do something wrong?

No, this is the default behavior.  If you're using automatic signing,
you can override this by adding "dnssec-dnskey-kskonly yes;" to your
options statement.  If you're using dnssec-signzone, you can override
it by using the -x flag.

> It seems harmless, beyond the extra payload in responses pushing up
> packet sizes.

Exactly so.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the dns-operations mailing list