Re: Signing with the KSK and ZSK
On Dec 8, 2009, at 2:03 AM, xu dong wrote: Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: dnssec-signzone -o domain-name -t -k KSK zone-name ZSK but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Why do you want to sign with one key at a time? The default behavior is to sign just the dnskey RRSet with the KSK, and to sign the whole zone with the ZSK, all in one go. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signing with the KSK and ZSK
In message 2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com, xu dong writes: Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark Thanks. --=20 - Xudong email=a3=baxudon...@gmail.com Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Signing with the KSK and ZSK
Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Thanks. -- - Xudong email:xudon...@gmail.com Beijing,China - ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users