In message <2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com>, xu dong writes: > > Hi folks, i have a question about signing zone files with the ksk and the > zsk, as i know,when signing the zone files i have to use the ksk and zsk > both,just as following: > > *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* > but i want to sign the ZSK with KSK first,and then sign the zone files with > zsk,so how can i do?
Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark > Thanks. > --=20 > --------------------------------------------------------- > Xudong > email=a3=baxudon...@gmail.com > Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
