How to introduce automatic signing for existing signed zones?
Niall O'Reilly
niall.oreilly at ucd.ie
Mon Nov 7 14:55:01 UTC 2022
Thank you for your speedy response, Matthijs.
On 7 Nov 2022, at 13:10, Matthijs Mekking wrote:
> Ignore that, I saw too late there were attachments.
Perhaps I ought to have mentioned them explicitly.
> Are you able to share the public key and key state files with me so I
> can investigate why BIND thinks the existing keys cannot be used?
Off list, and PGP-protected, yes.
This will mean I'll end up having to change the parent DS RRs later on.
That seems a reasonable cost for getting to the root of the problem.
I have no key state files, except after starting named, and then only
for the RSA/SHA-256 and **newly-generated** ECDSA keys. My current
signing process uses ldns-signzone, which seems not to use such files.
> Also, the log file looks like an excerpt.
No; that's everything named, as configured, writes.
> A full debug (level 3) log would be useful too.
I'll set up for that, and follow up off list.
Thanks and best regards,
Niall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221107/de433790/attachment.htm>
More information about the bind-users
mailing list