> And what turns out is that it complains that the RRSIG over the DNSKEY > has a bad signer name. This turns out the be correct. > > The smtp.cz DNSKEY RRSIG has a signer name of ".". This should be > "smtp.cz", since it is self-signed. Ah, thanks. Missed that. So it turns out that's more like bug (or feature?) in Bind validation. Ondrej. -- Ondřej Surý <ondrej at sury.org>