dnssec questions
CT
groups at obsd.us
Fri Aug 27 19:45:55 UTC 2010
On 08/27/2010 11:32 AM, Alan Clegg wrote:
> On 8/27/2010 11:42 AM, CT wrote:
>
>> Per my isc class and the book I received by Jeremy C. Reid ..
>> you still need to "include" your keys in the zone file either
>>
>> via
>> $include<dir>/KSK
>> $include<dir>/ZSK1
>> $include<dir>/ZSK2
>> or
>> (cat *.key> allkeys) which is what I have done..
>> $include<dir>/allkeys
>>
>> I thought the use of -S (smart signing) that this was no longer
>> necessary ..?
>
> If you use "-S", dnssec-signzone pulls the keys into the zone file based
> on the timing metadata. You don't need to $INCLUDE the keys any longer.
>
> AlanC
>
Alan..
Much thanks for the info.. I had to include the keys for my keyset
upload to our registrar.. and it did require the keys either in the file
or with an include statement.. so a one time deal then..
Also discovered (was using 9.6.1-16.P3 before) the keyset does not
change after re-signing the zone...
One less file to keep up with ..
V/R
Charles
More information about the bind-users
mailing list