<div dir="ltr"><div>Hello,</div><div><br></div>opendnssec version 1.4.13.<div><br></div><div>The zonefile is signed with 51915 ZSK when I'm expecting it to be signed with 37063 ZSK. The DNSKEY RRset contains all four keys and is correctly signed with both KSKs. I force signing with ods-signer sign zone with the same result.<br><div><br></div><div><div># ods-ksmutil key list -z <a href="http://example.com">example.com</a> -v</div><div>...</div><div>Keys:</div><div>Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:</div><div><a href="http://example.com">example.com</a>                           KSK           active    2017-03-29 15:38:36 (retire)   2048    8           379855eb637390420bb659c63e34875a  Keyper                            31082</div><div><a href="http://example.com">example.com</a>                           ZSK           retire    2017-07-30 23:59:30 (dead)     2048    8           898c304545fcf1bbd3b4f4dee01de431  Keyper                            51915</div><div><a href="http://example.com">example.com</a>                           KSK           ready     waiting for ds-seen (active)   2048    8           41cc87e43330a139c10daec84c926af6  Keyper                            35999</div><div><a href="http://example.com">example.com</a>                           ZSK           active    2017-10-30 21:59:30 (retire)   2048    8           569cfa7acc4e45518ba9c6bb64660b6d  Keyper                            37063</div></div><div><br></div></div><div>from signconf file for the zone:</div><div><br></div><div><div>                <Keys></div><div>                        <TTL>PT3600S</TTL></div><div>                        <Key></div><div>                                <Flags>257</Flags></div><div>                                <Algorithm>8</Algorithm></div><div>                                <Locator>379855eb637390420bb659c63e34875a</Locator></div><div>                                <KSK /></div><div>                                <Publish /></div><div>                        </Key></div><div><br></div><div>                        <Key></div><div>                                <Flags>257</Flags></div><div>                                <Algorithm>8</Algorithm></div><div>                                <Locator>41cc87e43330a139c10daec84c926af6</Locator></div><div>                                <KSK /></div><div>                                <Publish /></div><div>                        </Key></div><div><br></div><div>                        <Key></div><div>                                <Flags>256</Flags></div><div>                                <Algorithm>8</Algorithm></div><div>                                <Locator>898c304545fcf1bbd3b4f4dee01de431</Locator></div><div>                                <Publish /></div><div>                        </Key></div><div><br></div><div>                        <Key></div><div>                                <Flags>256</Flags></div><div>                                <Algorithm>8</Algorithm></div><div>                                <Locator>569cfa7acc4e45518ba9c6bb64660b6d</Locator></div><div>                                <ZSK /></div><div>                                <Publish /></div><div>                        </Key></div><div><br></div><div>                </Keys></div></div><div><br></div><div>This is from the backup2 file which is recent:</div><div><div>;;Key: locator 379855eb637390420bb659c63e34875a algorithm 8 flags 257 publish 1 ksk 1 zsk 0 rfc5011 0</div><div>;;Key: locator 41cc87e43330a139c10daec84c926af6 algorithm 8 flags 257 publish 1 ksk 1 zsk 0 rfc5011 0</div><div>;;Key: locator 898c304545fcf1bbd3b4f4dee01de431 algorithm 8 flags 256 publish 1 ksk 0 zsk 1 rfc5011 0</div><div>;;Key: locator 569cfa7acc4e45518ba9c6bb64660b6d algorithm 8 flags 256 publish 1 ksk 0 zsk 0 rfc5011 0</div></div><div><br></div><div>And here are the signatures created:</div><div><div><a href="http://example.com">example.com</a>.  86400   IN      RRSIG   SOA 8 2 86400 20170818133611 20170718123611 51915 <a href="http://example.com">example.com</a>. IFHFZF7DTgwPATmWw3tLyEAYUdwGMhH9BCON4uGr7invMz64NRNLD142Yz...<br></div></div><div><a href="http://example.com">example.com</a>.  86400   IN      RRSIG   NS 8 2 86400 20170818133611 20170718123611 51915 <a href="http://example.com">example.com</a>. K37AntYRr29Ad9H/EvlDsjwFHhLLnj4TBq2x93flDa4laMhyXdgKAQz0t4SnBp49...</div><div><br></div><div>Thank you in advance.</div><div>Emil</div></div>