On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews <[email protected]> wrote:
> The rules for what get signed by what are per algorithm. Additionally the > SEP bit is hint to the signer as to what is desired. Named has controls to > say whether to pay attention to the SEP bit or not. Additionally it will > override those controls to pay attention to the SEP but if it believes that > the zone won’t be correctly signed if it paid attention to the SEP bit. > > People have created zones where one algorithm has keys with and without the > SEP > bit for one algorithm but for a second algorithm there are only keys with > (without) > the SEP bit. If the signer has been told to honour the SEP bit then for the > first > algorithm it will be honoured and for the second algorithm the instruction > will > be overridden. > > See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of > dnssec-policy. Thanks. cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
