On 25/08/14 11:34, Klaus Darilion wrote: > As I said it depends on which KSK-rollover method you are using. > > OpenDNSSEC uses Double-Signature: (see > https://wiki.opendnssec.org/display/DOCS/Key+Rollovers). > > Thus, it should be sufficient to have only the DS of the active KSK (on > the standby KSKs) in the parent zone.
...and the default for "key export" is to print the DNSKEYs that it thinks should be in the parent zone. (You can get DS records by adding the "--ds" flag.) Sion > regards > Klaus > > > > On 25.08.2014 11:40, Bas van den Dikkenberg wrote: >> I plan to have 2 standby keys as far as I onderstand I have to publish at >> least the active key and both the standby keys right ? >> Wat about the with status retired(not dead) >> >> >> -----Oorspronkelijk bericht----- >> Van: Klaus Darilion [mailto:[email protected]] >> Verzonden: maandag 25 augustus 2014 11:08 >> Aan: Bas van den Dikkenberg; [email protected] >> Onderwerp: Re: [Opendnssec-user] what key's do i need to submit to Registar. >> >> >> >> On 23.08.2014 17:16, Bas van den Dikkenberg wrote: >>> Hi , >>> >>> >>> >>> A question about the key states, I am the process of scripting the >>> updating the KSK to my registerars. >>> >>> >>> >>> Does the output of ods-ksmutil key export -zone zome.tld provide me >>> the keys I need to publish to the registar/tld >>> >>> >>> >>> Do retire and publish also needed to be included ? >> It depends on your KSK rollover method. See: >> >> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-04#section-2.2 >> >> regards >> Klaus >> > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
