In message <[email protected]>, xu dong writes: > > Hi folks, i have a question about signing zone files with the ksk and the > zsk, as i know,when signing the zone files i have to use the ksk and zsk > both,just as following: > > *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* > but i want to sign the ZSK with KSK first,and then sign the zone files with > zsk,so how can i do?
Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark > Thanks. > --=20 > --------------------------------------------------------- > Xudong > [email protected] > Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
