[ldns-users] how to use ldns-signzone with many KSK
Dmitriy Demidov
dima_bsd at inbox.lv
Sun Apr 5 19:07:23 UTC 2009
On Sunday 05 April 2009, Jelte Jansen wrote:
> Dmitriy Demidov wrote:
> > Hi list.
> >
> > Is it possible to use two KSK with ldns-signzone? How?
> >
> > $ ldns-signzone -vV
> > zone signer version 1.5.1 (ldns version 1.5.1)
>
> It should be; ldns-signzone infers the KSK/ZSK status from either the
> DNSKEY list in the input zone file or the .key file in the same directory
> as the .private file. If the SEP bit is set, it uses the key as a KSK.
>
> If it cannot find the DNSKEY record in the zone, and cannot find the .key
> file, it will generate a DNSKEY record and add it. However, in this case it
> will assume that the key is a ZSK.
>
> So simply specifying all keys on the command line should work, without
> extra flags to tell which key is which. As long as the .key file is present
> and the SEP bit is set.
>
> If it doesn't, you may have hit a bug (but it seems to work here for me).
>
> Jelte
>
> PS. I am aware that according to some people SEP does not equal KSK, and
> those people have pretty much convinced me that that is indeed the case, so
> something like the -k argument might appear in the future. At this time
> this is still inferred automatically however.
Hi Jelte.
Thank you for information - I will continue my tests more carefully.
More information about the ldns-users
mailing list