14 Čen
2024
14 Čen
'24
18:55
I see two DNSKEY RRSIGs. If the zones are signed by
Knot, there should
be just one RRSIG for DNSKEY. Try `knotc zone-sign` to see if it
removes the defective signatures.
so our attempts at diagnosis indicate that the primary, running knot,
and secondaries which run knot, return one RRSIG. secondaries running
bind return two. we're digging further.
randy