Signing with the KSK and ZSK
Mark Andrews
marka at isc.org
Tue Dec 8 13:51:30 UTC 2009
In message <2ac8e9ad0912072303u6327b50eoc06cbfe232632626 at mail.gmail.com>, xu dong writes:
>
> Hi folks, i have a question about signing zone files with the ksk and the
> zsk, as i know,when signing the zone files i have to use the ksk and zsk
> both,just as following:
>
> *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK*
> but i want to sign the ZSK with KSK first,and then sign the zone files with
> zsk,so how can i do?
Firstly you don't sign keys or files, you sign RRsets or zones.
'-x' will tell the signer to the DNSKEY RRset only using KSK's.
Secondly don't over specify the command line.
'dnssec-signzone -x -o domain-name master-file'
is enough in most cases. dnssec-signzone will look at the DNSKEY
records in the master-file and workout what is needed.
The options are there for when you want dnssec-signzone to do
something non-standard.
Mark
> Thanks.
> --=20
> ---------------------------------------------------------
> Xudong
> Email=A3=BAxudong83 at gmail.com
> Beijing,China
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list