Hello,
I'm using dnssec-signzone to sign a zonefile. I have 3 keys stored on a HSM,
here is the meta data for the keys:
; This is a key-signing key, keyid 15464, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017)
; This is a zone-signing key, keyid 49480, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170211162324 (Sat Feb 11 18:23:24 2017)
; This is a zone-signing key, keyid 60436, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017)
Using dnssec-signzone -S -d <directory_holding_key_data> ...
new signed zonefile is created and both ZSKs are used to sign all RRsets but
thr DNSKEY. What I'm expecting to happen is that ZSK (keyid 49480) is
published, but not used for signing (the activation time is a month in the
future).
I'm using BIND 9.9.9-P5.
Am I missing something?
Thank you in advance.
Emil
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
