Moving from manual signing to fully automatic
I am trying to move to automatic signing, but I am getting this: https://dnsviz.net/d/hnusnik.cz/dnssec/ It seems that my key-signing key is signing my zone as well as the zone-signing key. Basically it looks like this:
KSK -> ZSK -> zone
KSK -> zone
The zone is signed twice. Is it a problem or is it some transition period, because I previously used the key as key-signing and zone-signing. Key management looks like this:
11665a731a34f3c25081bd6052f9e99c4462212d ksk=yes zsk=no tag=46089 algorithm=7 size=2048 public-only=no created=0 pre-active=0 publish=1454094290 ready=0 active=1454094290 retire-active=0 retire=0 post-active=0 remove=0
20dd23d608cbdcd8e1a0378d7ce58850a786b683 ksk=no zsk=yes tag=26150 algorithm=7 size=1024 public-only=no created=1586888881 pre-active=0 publish=1586888881 ready=0 active=1586888881 retire-active=0 retire=0 post-active=0 remove=0
Is there some good study material Czech/English? DNSSEC is always going over my head.
How to migrate to easily migrate to a better signing algorithm?