dnssec-keydir enabling DNSSEC may be misleading
dnssec-keydir
also enables dnssec-enable
which is strange for following configuration:
zones {
dnssec-keydir "...";
zone unsigned { file "unsigned.zone"; } # I don't want DNSSEC here
zone signed { dnssec-enable on; file "signed.zone"; } # I want DNSSEC here
}
... This results in following and not loading the unsigned zone at all. Duh?
2013-10-18T23:55:55 [error] DNSSEC keys could not be loaded (The signing key is invalid.). Not signing the unsigned. zone!
2013-10-18T23:55:55 [error] Failed to init DNSSEC signer (The signing key is invalid.)