How to keep the KSK private key offline with BIND dynamic signing?
Arun N S
arun at arunns.com
Sun Jan 24 13:07:05 UTC 2016
Tried to include DNSKEY, RRSIG for the KSK manually in the unsigned zone
file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key).
The dnssec-signzone succeeded, even though it was complaining about the
path for KSK.
# dnssec-signzone-pkcs11 example.com
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/RSASHA256/23456: file not found
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....
example.com. 3600 IN DNSKEY 257 3 8
AwEAAZt2BKCYKvu6Avr.....
But when I tried to include the same unsigned zone file and used rndc tool
(rndc sign example.com) or named restart the signed zone file generated
does not have the DNSKEY for KSK.
# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....
Any ideas?
--
arun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160124/39ceb896/attachment.html>
More information about the bind-users
mailing list