>Hmm... dnssec-signzone (version 9.7.0-P1) seems to work perfectly well: > >dnssec-signzone -k Kexample.com.+008+53749.key -N INCREMENT -g -o example.com example.com Kexample.com.+008+41979 Verifying the zone using the following algorithms: RSASHA256. >Zone signing complete: >Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked > ZSKs: 1 active, 1 stand-by, 0 revoked example.com.signed
Did some more digging with dnssec-signzone (v9.7.0-P2 and 9.6.2-P2). It works if: a) both KSK and ZSK are specified on the command line b) their DNSKEY records are in the zone file c) their key files exist on disk. If only KSK is specified in a), it also works if b) and c) are met. However, if in c) only KSK key files are on disk, but ZSK key files are not, dnssec-signzone fails with the errors mentioned earlier. Prior to 9.6.2-P1, instead of failing, dnssec-signzone would sign only the DNSKEY RRset with KSK. Then we'd invoke dnssec-signzone with ZSK to sign everything else. _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
