CDS/CDNSKEY records should be signed by KSK
I've come across an interoperability issue between Knot DNS and dnssec-cds
utility, part of BIND. This utility insists on CDS/CDNSKEY
records signed by KSK
; to be precise, CDS/CDNSKEY
have to be signed by the same key to which current DS record points to. Therefore it fails to validate CDS/CDNSKEY
records if zone is set up to use KSK and ZSK.
There is an old thread about this topic in Knot-DNS users mailing list by @stirnimann, but I didn't find any issue about this.