Re: Signing with the KSK and ZSK
In message <2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com>, xu dong writes: > > Hi folks, i have a question about signing zone files with the ksk and the > zsk, as i know,when signing the zone files i have to use the ksk and zsk > both,just as following: > > *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* > but i want to sign the ZSK with KSK first,and then sign the zone files with > zsk,so how can i do? Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark > Thanks. > --=20 > - > Xudong > email=a3=baxudon...@gmail.com > Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signing with the KSK and ZSK
On Dec 8, 2009, at 2:03 AM, xu dong wrote: > Hi folks, i have a question about signing zone files with the ksk and the > zsk, as i know,when signing the zone files i have to use the ksk and zsk > both,just as following: > > dnssec-signzone -o domain-name -t -k KSK zone-name ZSK > but i want to sign the ZSK with KSK first,and then sign the zone files with > zsk,so how can i do? Why do you want to sign with one key at a time? The default behavior is to sign just the dnskey RRSet with the KSK, and to sign the whole zone with the ZSK, all in one go. Chris Buxton Professional Services Men & Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Signing with the KSK and ZSK
Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Thanks. -- - Xudong email:xudon...@gmail.com Beijing,China - ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users