Hi,

I have a domain but my registrar dosn't do dnssec so i use the isc dlv 
system to publish my KSK.

This all works ok.

my current KSK is nearing the end of it's life so i want to do the ksk 
rollover and get the new ksk in the isc dlv system.

afaict the sequence is something like:

# generate new ksk
zkt-keyman -k -C pointless.net
# and resign and reload zone
zkt-signer -r -v -v

# find keyid and publish (?) (not needed?)
zkt-keyman -P <keyid>
# and resign and reload zone
zkt-signer -r -v -v

# give DS etc to upper zones, wait for propergation/ttl etc.
# after waiting make new key active
zkt-keyman -A <keyid>
# and resign and reload zone
zkt-signer -r -v -v

# wait for propergation/ttl etc.
# now depreciate the old key
zkt-keyman -D <oldkeyid>
# and resign and reload zone
zkt-signer -r -v -v

I've done the first step and i can see the DNSKEY record with dig and so can 
dnsvis
etc.

zkt-ls shows it in 'sta' state

If I try to publish the new key i get:

zkt-keyman: Couldn't change status of key 16611: 1

looking in the dir i see:

Kpointless.net.+005+16611.key
Kpointless.net.+005+16611.published

so it's there, but .published rather then .private?

Looking through the source that means it's already published.

ISC DLV system can see the key, and can fetch it etc, but it complains that:

4.208:INFO VERIFY-DNSKEY: 1 keys found after filtering.
4.208:DEBUG VERIFY-DNSKEY: Using keys:
4.209:DEBUG VERIFY-DNSKEY: tag=16611 flags=257 alg=RSASHA1 
BQEAAAAB...g0n0rOBbw==
4.209:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
4.212:FAILURE DNSKEY signature verification failed: Signing key not found

Looking with dig (as far as i can tell) the rrsig's use the existing ksk and
zsk.

So is there some bit in the dnskey record that needs setting?

I guess that i can go ahead and activate it, but I want to check that that
won't replace the existing key.

Presumably it's ok to have 2 KSK's for a short time?

I'm using zkt-1.1.0 (compiled myself) on debian.

-- 
[http://pointless.net/]                                   [0x2ECA0975]

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
zkt-users mailing list
zkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zkt-users

Reply via email to