Hi Tomas,

> I am trying to use zkt to sign two zones, tlund.se and ipv6-only.tlund.se 
> and I am having trouble understanding what I need to do to get zkt to 
> insert data from ipv6-only.tlund.se into the parentzone tlund.se.
> 
> Directory structure is as follows:
> 
> /etc/bind/dnssec/tlund.se/
> /etc/bind/dnssec/tlund.se/ipv6-only.tlund.se/
> 
> These two dirs contains a zone.db for respective domain. After running 
> zkt, it generates a signed zone zone.db.signed for both tlund.se and 
> ipv6-only.tlund.se, but no DS-records for ipv6-only.tlund.se are included 
> in the parent zone.
please check if you have set the parameter KeysetDir to ".." in the
dnssec.conf file.

The second parameter which is involved in this is SigGenerateDS. But I
guess that this one is set, otherwise the dnssec-signzone command
would'nt be called with option -g.

> the broken delegation can be seen with dig as these domains are live in 
> the DNS system or at http://dnsviz.net/d/ipv6-only.tlund.se/dnssec/
> 
> Output from zkt-signer:
> 
> $ /usr/local/bin/zkt-signer -vv -c /etc/bind/dnssec/dnssec.conf
> parsing zone "ipv6-only.tlund.se." in dir 
> "/etc/bind/dnssec/tlund.se/ipv6-only.tlund.se"
>          Check RFC5011 status
>                  ->not a rfc5011 zone, looking for a regular ksk rollover
>          Check KSK status
>          Check ZSK status
>          Re-signing necessary: Zone file edited
>          Writing key file 
> "/etc/bind/dnssec/tlund.se/ipv6-only.tlund.se/dnskey.db"
>          Incrementing serial number in file 
> "/etc/bind/dnssec/tlund.se/ipv6-only.tlund.se/zone.db"
>          Signing zone "ipv6-only.tlund.se."
>            Run cmd "cd /etc/bind/dnssec/tlund.se/ipv6-only.tlund.se; 
> /usr/sbin/dnssec-signzone  -C -g -o ipv6-only.tlund.se. -e +864000  zone.db 
> K*.private 2>&1"
>            Cmd dnssec-signzone return: "zone.db.signed"
>          Signing completed after 0s.
> 
> parsing zone "tlund.se." in dir "/etc/bind/dnssec/tlund.se"
>          Check RFC5011 status
>                  ->not a rfc5011 zone, looking for a regular ksk rollover
>          Check KSK status
>          Check ZSK status
>          Re-signing necessary: Zone file edited
>          Writing key file "/etc/bind/dnssec/tlund.se/dnskey.db"
>          Incrementing serial number in file 
> "/etc/bind/dnssec/tlund.se/zone.db"
>          Signing zone "tlund.se."
>            Run cmd "cd /etc/bind/dnssec/tlund.se; /usr/sbin/dnssec-signzone  
> -C -g -o tlund.se. -e +864000  zone.db K*.private 2>&1"
>            Cmd dnssec-signzone return: "zone.db.signed"
>          Signing completed after 0s.
> 
> //tlund


 Holger


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
zkt-users mailing list
zkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zkt-users

Reply via email to