Hello all,

I've been exploring various dnssec key management tools out there of late and ran across this one, which I think is my favorite so far.

I say "key management", since originally, my intention was just to find something that would help me in doing the key rollover and lifetime selection and setting for the standard bind9 dnssec-keygen tool, dump those all in the same directory (the key repository if you will) and then I was just going to use dnssec-signzone -S "smart signing" to have it use the timestamp values in those keys to figure out which DNSKEY entries and DS entries to include. I specifically didn't want a heavy weight tool since we already have many years and a large mess of perl and db scripting around our existing dns infrastructure (a sql db holds the zone record data which gets generated into files via cron and then deteremine when to sign them - currently without any rollover smarts).

It seems that zkt can do some of the "smart signing" (inclusion of appropriate ds and dnskey records) as well, though requires a different zone layout for me to be able to use it.

My question was whether the two methods are compatible (looks to be not since the comment headers are different and the zkt-signer.c source specifically includes the -C compatibility option for newer dnssec-keygen bind9 tools), OR if there's any intention to make zkt make use of the smart signing stuff and that key format in the future?


Attachment: signature.asc
Description: Digital signature

Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
zkt-users mailing list

Reply via email to