[ldns-users] howto handle offline ksk

A. Schulze sca at andreasschulze.de
Fri Mar 13 12:25:34 UTC 2015


signing a zone using ldns-signzone is easy. At least if ksk and zsk  
are both available.

I would like t change the setup so host2 as no access to ksk.private.
This is how I think things would go:

   create a ksk
   create a zsk
   sign this zsk
   transfer ksk.public + zsk.private + zsk.sig to Host2

   include {ksk/zsk}.public in zone
   include zsk.sig in zone
   sign zone
   transfer ksk.public (or the DS(ksk.public)) to the delegating domain.

any suggestions if this is correct and howto do that using ldns tools ?
( at least: ... not using bind tools ... )


