[ldns-users] how to use ldns-signzone with many KSK
Jelte Jansen
jelte at NLnetLabs.nl
Sun Apr 5 18:31:48 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dmitriy Demidov wrote:
> Hi list.
>
> Is it possible to use two KSK with ldns-signzone? How?
>
> $ ldns-signzone -vV
> zone signer version 1.5.1 (ldns version 1.5.1)
>
It should be; ldns-signzone infers the KSK/ZSK status from either the DNSKEY
list in the input zone file or the .key file in the same directory as the
.private file. If the SEP bit is set, it uses the key as a KSK.
If it cannot find the DNSKEY record in the zone, and cannot find the .key file,
it will generate a DNSKEY record and add it. However, in this case it will
assume that the key is a ZSK.
So simply specifying all keys on the command line should work, without extra
flags to tell which key is which. As long as the .key file is present and the
SEP bit is set.
If it doesn't, you may have hit a bug (but it seems to work here for me).
Jelte
PS. I am aware that according to some people SEP does not equal KSK, and those
people have pretty much convinced me that that is indeed the case, so something
like the -k argument might appear in the future. At this time this is still
inferred automatically however.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknY+RQACgkQ4nZCKsdOncWn1ACfcikXsN0HFnkX3bFXXHtQIYkl
fVYAoKNkWpB2Leh1I0yJPc6avliX11DB
=gAU5
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list