ksk in a volume

Noel Rocha noel at noelrocha.com
Wed Jun 15 13:51:38 UTC 2011 

Thanks.

In this situation:
- KSK signed ZSK(DNSKEY RR).
- ZSK signing others RR of zone.

I don't see reason for the KSK be present in operations unless 
add/delete RR DNSKEY.

I think this error message it's a bug:
dns_dnssec_findzonekeys2: error reading private key file 
my.zone.com/NSEC3RSASHA1/42969(KSK): file not found

or not?

On 06/13/2011 11:19 PM, Mark Andrews wrote:
> Add 'key-directory "<location>";' to named.conf so named knows where
> to look for the K* files.  This is settable a zone/view/option
> levels.
>
> As for storing K* files on another machine, if the zone is updatable
> there is no point in doing so.
>
> Mark
>
> In message<4DF649B5.600 at noelrocha.com>, Noel Rocha writes:
>> Hello,
>>
>> I'm having this error after add RR using nsupdate:
>> named[18254]: dns_dnssec_findzonekeys2: error reading private key file
>> my.zone.com/NSEC3RSASHA1/42969: file not found
>>
>> Keytag 42969 is the KSK.
>>
>> My named.conf is setup with the KSK to sign only dnskey:
>> -------------------------------------------------
>> options {
>>      [..]
>>      dnssec-dnskey-kskonly yes;
>>      update-check-ksk yes;
>> }
>> -------------------------------------------------
>>
>> Can't I store private ksk in my other machine for secutiry questions?
>> Can I ignoring this error?
>>
>> Recommendations?
>>
>> Thanks in advance,
>> Noel Rocha
>>
>> On 06/10/2011 01:11 PM, Noel Rocha wrote:
>>> Hello,
>>>
>>> I have a question about dnssec when zones are dynamically updated and
>>> very time are changed for users.
>>>
>>> KSK needs be stored in "key-directory"? I want to store in unmounted
>>> volume and I will mount when is need.
>>>
>>> P.S: I have some KSKs and ZSKs.
>>>
>>> Thanks in advance,
>>> Noel Rocha
>>> _______________________________________________
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list