today I tested the dnssec setup again. The DS record is set up correctly this time, but the cheking of the ds entry in the 1.0.8.1.4.1.1.0.0.2.ip6.arpa fails, because the dlv record for this zone is not matching the dnskey of the zone: dig -t dlv 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. @2001:4f8:0:2::20 ; <<>> DiG 9.8.0-P2 <<>> -t dlv 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. @2001:4f8:0:2::20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27662 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. IN DLV ;; ANSWER SECTION: 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. 3600 IN DLV 14086 8 1 510F18BB6F182C99FEE418988B610F2A3C5EAD3C 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. 3600 IN DLV 14086 8 2 263B8C32E5D4060B81A510DD6B74E612AEFA1C7D49D9FB39828D25EE C60E3075 but according to dnssec-dsfromkey it should be 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. IN DLV 22366 8 1 21622EB30D0BEFB86BFE9BEE05CF6A7D3A7BE968 1.0.8.1.4.1.1.0.0.2.ip6.arpa.dlv.isc.org. IN DLV 22366 8 2 24BED6D3F70759F8F0B4FE35AF3C8041D854ED7328D2DE17E18C6448 BF40B522 the DNSKEY with id 14086 is even missing and a key with ID 14214 is revoked, so i guess something with the ZSK rollover went wrong the symptoms now are that for every reverse lookup of any 2001:1418:100::/40 and 2001:1418:200::/40, I get a Server Fail response from my bind server, except my own subnet, because it is authoritative for this zone