I have a domain but my registrar dosn't do dnssec so i use the isc dlv 
system to publish my KSK.

This all works ok.

my current KSK is nearing the end of it's life so i want to do the ksk 
rollover and get the new ksk in the isc dlv system.

afaict the sequence is something like:

# generate new ksk
zkt-keyman -k -C pointless.net
# and resign and reload zone
zkt-signer -r -v -v

# find keyid and publish (?) (not needed?)
zkt-keyman -P <keyid>
# and resign and reload zone
zkt-signer -r -v -v

# give DS etc to upper zones, wait for propergation/ttl etc.
# after waiting make new key active
zkt-keyman -A <keyid>
# and resign and reload zone
zkt-signer -r -v -v

# wait for propergation/ttl etc.
# now depreciate the old key
zkt-keyman -D <oldkeyid>
# and resign and reload zone
zkt-signer -r -v -v

I've done the first step and i can see the DNSKEY record with dig and so can 

zkt-ls shows it in 'sta' state

If I try to publish the new key i get:

zkt-keyman: Couldn't change status of key 16611: 1

looking in the dir i see:


so it's there, but .published rather then .private?

Looking through the source that means it's already published.

ISC DLV system can see the key, and can fetch it etc, but it complains that:

4.208:INFO VERIFY-DNSKEY: 1 keys found after filtering.
4.208:DEBUG VERIFY-DNSKEY: Using keys:
4.209:DEBUG VERIFY-DNSKEY: tag=16611 flags=257 alg=RSASHA1 
4.209:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
4.212:FAILURE DNSKEY signature verification failed: Signing key not found

Looking with dig (as far as i can tell) the rrsig's use the existing ksk and

So is there some bit in the dnskey record that needs setting?

I guess that i can go ahead and activate it, but I want to check that that
won't replace the existing key.

Presumably it's ok to have 2 KSK's for a short time?

I'm using zkt-1.1.0 (compiled myself) on debian.

[http://pointless.net/]                                   [0x2ECA0975]

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
zkt-users mailing list

Reply via email to