[ off list ]
> I couldn't help noticing that when you ran dnssec-dsfromkey you
> referenced this directory: /usr/home/dns/Fixed
nah. i have multiple copies so i can `rsync` them to refresh.
i am getting closer. as mark pointed in the direction, i found that the
keys produced by the extraction
On 08/03/2024 12:54, Randy Bush wrote:
but WHY NOT? same key sets with opendnssec and inline-signing, we
think.
The most obvious possibility is that this is referring to a different
directory to where you put the keys that you wanted to use:
|key-directory "/usr/home/dns/dkeys"|
I
Please read https://kb.isc.org/docs/dnssec-key-and-signing-policy especially
the steps to do when migrating to using dnssec-policy with an existing signed
zone.
Start with "lifetime unlimited”. Tell named which keys have DS already
published
using rndc. You can also use dnssec-settime to do
> On 8 Mar 2024, at 10:54, Randy Bush wrote:
>
>> You DS and DNSKEY rrset are not matched. You
>> need to publish the DS for the DNSKEY with key
>> tag 3463.
>>
>> rg.net. 86256 IN DS 12391 8 2
>> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>>
>> rg.net. 3463 IN
> You DS and DNSKEY rrset are not matched. You
> need to publish the DS for the DNSKEY with key
> tag 3463.
>
> rg.net. 86256 IN DS 12391 8 2
> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>
> rg.net. 3463 IN DNSKEY 256 3 8 (
> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
You DS and DNSKEY rrset are not matched. You
need to publish the DS for the DNSKEY with key
tag 3463.
rg.net. 86256 IN DS 12391 8 2
0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
rg.net. 3463 IN DNSKEY 256 3 8 (
AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
FreeBSD 13.2-RELEASE-p10 amd64
bind 9.16.48
softhsm-1.3.8 (yes, i know)
opendnssec 2.1.13
moon in klutz
been running opendnssec, and trying to move to bind inline-signing
in the hope of making it more readable, the sad story is at
https://git.rg.net/randy/randy/src/master/scratch.md
thanks for
7 matches
Mail list logo
