Niobos wrote:
>
> However, I don't see any security-benefits in this scenario: If the attacker
> gets hold of the credentials to update the zone dynamically, he can do so in
> both cases (KSK online or offline). If your server is compromised, he can
> add/remove records in both cases. In case of Z
On 2011-06-15 15:51, Noel Rocha wrote:
In this situation:
- KSK signed ZSK(DNSKEY RR).
- ZSK signing others RR of zone.
I don't see reason for the KSK be present in operations unless
add/delete RR DNSKEY.
I had the same idea roughly a year ago. And while you're right, it
doesn't change much in
On Wed, Jun 15, 2011 at 10:51:38AM -0300, Noel Rocha wrote:
Thanks.
In this situation:
- KSK signed ZSK(DNSKEY RR).
- ZSK signing others RR of zone.
I don't see reason for the KSK be present in operations unless
add/delete RR DNSKEY.
Signature expiration.
Thanks.
In this situation:
- KSK signed ZSK(DNSKEY RR).
- ZSK signing others RR of zone.
I don't see reason for the KSK be present in operations unless
add/delete RR DNSKEY.
I think this error message it's a bug:
dns_dnssec_findzonekeys2: error reading private key file
my.zone.com/NSEC3RSASH
Add 'key-directory "";' to named.conf so named knows where
to look for the K* files. This is settable a zone/view/option
levels.
As for storing K* files on another machine, if the zone is updatable
there is no point in doing so.
Mark
In message <4df649b5@noelrocha.com>, Noel Rocha writes:
Hello,
I'm having this error after add RR using nsupdate:
named[18254]: dns_dnssec_findzonekeys2: error reading private key file
my.zone.com/NSEC3RSASHA1/42969: file not found
Keytag 42969 is the KSK.
My named.conf is setup with the KSK to sign only dnskey:
---
Hello,
I have a question about dnssec when zones are dynamically updated and
very time are changed for users.
KSK needs be stored in "key-directory"? I want to store in unmounted
volume and I will mount when is need.
P.S: I have some KSKs and ZSKs.
Thanks in advance,
Noel Rocha
___
7 matches
Mail list logo
