Didn't see this earlier for some reason ... Holger Zuleger <holger.zule...@hznet.de> 2013-01-10 23:35:
Hi Brian,I've been exploring various dnssec key management tools out there of late and ran across this one, which I think is my favorite so far.sounds good.I say "key management", since originally, my intention was just to find something that would help me in doing the key rollover and lifetime selection and setting for the standard bind9 dnssec-keygen tool, dump those all in the same directory (the key repository if you will) and then I was just going to use dnssec-signzone -S "smart signing" to have it use the timestamp values in those keys to figure out which DNSKEY entries and DS entries to include.I didn't checked it myself, but maybe DSKM  fulfills your needs.
Thanks for the tip. This does look interesting, but so far I think zkt is still a better match for our environment.
...You have to $INCLUDE dnskey.db, and if you like to use a soa serial format of yyymmddnnn, then the SOA record needs a special layout.It seems that zkt can do some of the "smart signing" (inclusion of appropriate ds and dnskey records) as well, though requires a different zone layout for me to be able to use it.
Yeah, all of that was fine. Just the directory layout, but that was easy enough to change. The rest has been in tracking down other problems with things like cidr domains and a careful dance between full paths and relative paths.
First of all, yes you are right. ZKT was implemented at a time as BIND was not able to sign the zone automatically. With BIND 9.7 and moreover since the very cool inline signing feature of BIND 9.9, the resigning of the zone should be done by BIND itself.My question was whether the two methods are compatible (looks to be not since the comment headers are different and the zkt-signer.c source specifically includes the -C compatibility option for newer dnssec-keygen bind9 tools), OR if there's any intention to make zkt make use of the smart signing stuff and that key format in the future?I am thinking about a new ZKT version with the primary use of key rollover, but it requires a lot of re-coding and, to be honest, I don't have the resources to do it right now.
I hear ya. I for one would appreciate it. Cheers, Brian
Description: Digital signature
_______________________________________________ zkt-users mailing list firstname.lastname@example.org https://lists.sourceforge.net/lists/listinfo/zkt-users