> I want to create a set of keys using dnssec-keygen.
> I wonder if it's possible to create one KSK key and a set of ZSK's
> and then to sign the ZSK set with the active KSK.
I'm not sure why you need a "set of" ZSK's. One should be enough unless
you're using multiple signing algorithms.
> Finally what I want is to invoke to dnssec-signzone without using
> explicitly the KSK.
>
> - is there another way to proceed?
> - was it the functionality of dnssec-signkey?
Yes, that's possible. You can run dnssec-signzone in phases; it will sign
the zone with the keys it has available to it in each pass. Something like
this:
$ ksk=`dnssec-keygen -a RSASHA1 -b 2048 -f KSK example.com`
$ zsk=`dnssec-keygen -a RSASHA1 -b 1024 example.com`
$ cat ${ksk}.key ${zsk}.key >> example.com
$ dnssec-signzone example.com ${ksk}
$ dnssec-signzone -o example.com -f example.com.signed example.com.signed ${zsk}
The first call to dnssec-signzone signs the DNSKEY set using the KSK.
The second call signs the rest of the zone--as well as the previously-
signed DNSKEY set--using the ZSK. (That's why the -o and -f options are
there--the second time around, it's reading in the zone from the
previously-signed version, not from the master source.)
After this, if you like, you can move your KSK to a secure location.
Whenever you change the DNSKEY set (for instance, by rolling to a new
ZSK), you repeat this process.
Note that in future releases (9.6.2 and higher) you'll need to add
the -P option (meaning "partial") to dnssec-signzone for this to work.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
