Thanks.
In this situation:
- KSK signed ZSK(DNSKEY RR).
- ZSK signing others RR of zone.
I don't see reason for the KSK be present in operations unless
add/delete RR DNSKEY.
I think this error message it's a bug:
dns_dnssec_findzonekeys2: error reading private key file
my.zone.com/NSEC3RSASHA1/42969(KSK): file not found
or not?
On 06/13/2011 11:19 PM, Mark Andrews wrote:
Add 'key-directory "<location>";' to named.conf so named knows where
to look for the K* files. This is settable a zone/view/option
levels.
As for storing K* files on another machine, if the zone is updatable
there is no point in doing so.
Mark
In message<4df649b5....@noelrocha.com>, Noel Rocha writes:
Hello,
I'm having this error after add RR using nsupdate:
named[18254]: dns_dnssec_findzonekeys2: error reading private key file
my.zone.com/NSEC3RSASHA1/42969: file not found
Keytag 42969 is the KSK.
My named.conf is setup with the KSK to sign only dnskey:
-------------------------------------------------
options {
[..]
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
}
-------------------------------------------------
Can't I store private ksk in my other machine for secutiry questions?
Can I ignoring this error?
Recommendations?
Thanks in advance,
Noel Rocha
On 06/10/2011 01:11 PM, Noel Rocha wrote:
Hello,
I have a question about dnssec when zones are dynamically updated and
very time are changed for users.
KSK needs be stored in "key-directory"? I want to store in unmounted
volume and I will mount when is need.
P.S: I have some KSKs and ZSKs.
Thanks in advance,
Noel Rocha
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
