Re: [Opendnssec-user] DelegationSignerSubmitCommand key identification

Tue, 15 May 2012 00:12:02 -0700 

Hi,
The main problem is, that the input to DelegationSignerSubmitCommand doesn't contain any key identifier (OpenDNSSEC 1.3.8). 
Example of input:
aaa.cz. 3600 IN DNSKEY 257 3 8 AwEAAcnuct87tqDPCXVLKeFYY6/g796Ung75/Gqct7AJuxqPfmex3zGo4Izuz44Sv/PoNgCGdXXQcomzHabhFCd4ZkXxeiH5AxahEr+CympCvKfR0n+jn93fteazl+/jjCjsnaokOrADg7CHc9Puy2FVc+DsQejGXI5Vgak8sL2sILpjtr9HjRKfX+BvmxOFyAyPOpOw/hARcoc00ZMqXQIQoyAwIaaRN//EUhGhokEpziDWFuNk2bcNTJMTyS0NnmdPnvqWo/qQxcIEgwnsyMUxVTgJyUQIqNNVdxkk/N8gjNsFWUBRuR7XhH7laV5/N+E4lWUxBw/JAIXKXCAWkW7LmkU= 

So the only possibility is to compute key_id.

Dan


On 05/14/2012 11:25 PM, Sebastian Castro wrote:

On 12/05/12 00:27, Daniel Salzman wrote:

Hi,

Hi,


I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use
DelegationSignerSubmitCommand option
for starting my external program, I am missing any information about key
identifier relating to DNSKEY record,
that should be subsequently used for key ds-seen. Although there is
possibility to compute key_id manually,
this is not ideal approach due to ambiguity. It would be useful to add
CKA_ID in comment to DelegationSignerSubmitCommand
parameter (if required in configuration).

When phased to the same issue, we provided a change to OpenDNSSEC to
include the CKA_ID into the ods-ksmutil key export output.

Our test system produces the following

ods-ksmutil key export --zone nz
SQLite database set to: /var/opendnssec/kasp.db

;active KSK DNSKEY record:
; CKA_ID: a6a5695ca0ebaaa741f2b552889fd502
nz.     3600    IN      DNSKEY  257 3 8
AwEAAaT0q51/JlyU37rJl/12ji5Qx/64oeftxIHpOMDVbCwOs1VWHeuGcZhwA8SBd9iCYGNMzcZptjMUd0C2DaJsbfhFFmIyUdq39s1qKYdo41HajX7NQIxb89C+SQIlsuVs0mNrPHjiczm2KFkM7oY8D3nORJCEDxglc4+NxZuaDgVlTqFXVqzgg/y5z3LLySou4XA1g5mpGaf5M+DUwWa/zs9aWF5M88y9JzpacuXcCzY0H7bvsOn/0/qlTlrecpMUt3sSpLHcE4idFjn8xK3BCEVDWlXXQDIweU07d6Sg6GhYtbbNp8l3Y7dw9XjLGOF2Xts9VRzBwBcELwb0R4AkiO0=
;{id = 21091 (ksk), size = 2048b}

If I recall correctly, the DelegationSignerSubmitCommand receives that
output, that would allow you to match the right DNSKEY with the DS record.

Cheers,


Thanks
Dan
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to