opendnssec -> inline-signing
Randy Bush
randy at psg.com
Fri Mar 8 03:56:34 UTC 2024
[ off list ]
> I couldn't help noticing that when you ran dnssec-dsfromkey you
> referenced this directory: /usr/home/dns/Fixed
nah. i have multiple copies so i can `rsync` them to refresh.
i am getting closer. as mark pointed in the direction, i found that the
keys produced by the extraction from openhsm were old style. but i am
still muddling upgrading them. e.g.
rip.psg.com:/usr/home/dns/dkeys# dnssec-settime -f -P 20240301 -A 20240301 -I 20340301 -D 20340310 Krg.net+008+12391.key
./Krg.net.+008+12391.key
./Krg.net.+008+12391.private
rip.psg.com:/usr/home/dns/dkeys# cat Krg.net+008+12391.key
rg.net. 3600 IN DNSKEY 257 3 8 AwEAAcP46+ZNd9PbePWnmTI+yQDW4VmDFUE+eWycXz+Gu7YzQuwXyEvwHEWvZXuIRezbLU81J+R0x7c8eTGAlnJjvutz1dSQd31lG46pc15FYeMoR0ec0ukZmQKNjIZCqnxRczLF5a2LW/qnOlREDFtHY6SwQrP0QHxy2HO+vLNExsEvCGlAQznvaGomj/NS/gOIAgmw3PF5vJIKKsDb5bdMJH3xY9aDDQ+4fqlaarYAiDzTYDMN+NxSo9FkjYu/3DlQqfJoBGH8TQRdWmAZr9mKSOcHDlQGhvYbHeHboUunq0twiWG8MWDdQUwtrO5jbi9ac0wEdEQiolg6U0QR0RUVFcE=
i.e. the key was not upgraded. but, it turns out it created a new one
with a dot in the name that is an upgraded version
rip.psg.com:/usr/home/dns/dkeys# cat Krg.net.+008+12391.key
; This is a key-signing key, keyid 12391, for rg.net.
; Created: 20240308032432 (Fri Mar 8 03:24:32 2024)
; Publish: 20240301000000 (Fri Mar 1 00:00:00 2024)
; Activate: 20240301000000 (Fri Mar 1 00:00:00 2024)
; Inactive: 20340301000000 (Wed Mar 1 00:00:00 2034)
; Delete: 20340310000000 (Fri Mar 10 00:00:00 2034)
rg.net. 3600 IN DNSKEY 257 3 8 AwEAAcP46+ZNd9PbePWnmTI+yQDW4VmDFUE+eWycXz+Gu7YzQuwXyEvw HEWvZXuIRezbLU81J+R0x7c8eTGAlnJjvutz1dSQd31lG46pc15FYeMo R0ec0ukZmQKNjIZCqnxRczLF5a2LW/qnOlREDFtHY6SwQrP0QHxy2HO+ vLNExsEvCGlAQznvaGomj/NS/gOIAgmw3PF5vJIKKsDb5bdMJH3xY9aD DQ+4fqlaarYAiDzTYDMN+NxSo9FkjYu/3DlQqfJoBGH8TQRdWmAZr9mK SOcHDlQGhvYbHeHboUunq0twiWG8MWDdQUwtrO5jbi9ac0wEdEQiolg6 U0QR0RUVFcE=
randy
More information about the bind-users
mailing list