-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/13/2012 12:19 AM, Paul Wouters wrote: > > Hi, > > I'm looking at telling opendnssec to sign the DNSKEY RRset with > both the ZSK and KSK. > > The documentation at > https://wiki.opendnssec.org/display/DOCS/signconf.xml tells me to > add "<ZSK/>" to the Keys section for the 257 flags. This did not > seem to work for me.
It's the other way around: If you want to sign the DNSKEY RRset with the ZSK, you should add <KSK/> to the Keys section for the 256 flags. Unfortunately, this does not work because the signer is smart: if there exists already a signature with the same algorithm for the RRset, it will skip the key for signing. I could change this for OpenDNSSEC 1.4. However only for the DNSKEY RRset, because this smartness is important for the smooth ZSK Pre-Publication rollover. But you would still have the problem that the kasp.xml does not support it yet. > However, this file is generated based on other xml files. Is there > a way to specify this via a policy option in kasp.xml? No, but it should be possible in OpenDNSSEC 2.0, with a <CSK> section. Best regards, Matthijs > > Paul _______________________________________________ > Opendnssec-user mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQUeQIAAoJEA8yVCPsQCW5vlIIANpimEzEcKxICKhc9N2zkt2j WdX9ofnWXxAAphJy2OoeDdEAf0nZdm8H4NiR+Fu5HflndE0uiwuQWvtoA5aQ6QEa KgG9wFMvzteu7g5LRKw5xHr8LNhKu+pfIYttiUlu2Br6ebaDn1gbm+ghojwrWyVj Ww2lPAubZqGnUZljwEdNQ74ELY5uTQ8W7Uq168YWIajUJR01jLWmRxWea1rexX2/ jwErVYsdD1mGsE7kcv+GJxZ9tntraGb0RrSQfpIMh8/XwlKE4Na9diHMdNXGWU71 zG+Z6Ev+RSUVPicRHXgvmyBKYMUmb9CGFYuaSwrC8wYmPkXehfpusNNYKLK53gY= =+KIY -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
