Hello again,
While continuing to troubleshoot, I ran into the following issue on
ISC's gitlab:
https://gitlab.isc.org/isc-projects/bind9/-/issues/3948
While none of my zones had 32 keys yet, they certainly had lots of key
*files*, as each new key creates 3 files.
I removed some long-ago-expired keys from the key directory for three
zones and restarted bind, and now those three zones are signed again.
... time passes, more testing ...
OK, I removed some old keys for all zones, and then said "rndc loadkeys
that.zone" and they're fixed now too.
Summa summarum: It seems to me that bind never removes the obsolete
keys, so eventually everyone will run into this same problem?
--
Aleksi Suhonen
