Signing with the KSK and ZSK
Chris Buxton
cbuxton at menandmice.com
Tue Dec 8 13:43:34 UTC 2009
On Dec 8, 2009, at 2:03 AM, xu dong wrote:
> Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following:
>
> dnssec-signzone -o domain-name -t -k KSK zone-name ZSK
> but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do?
Why do you want to sign with one key at a time? The default behavior is to sign just the dnskey RRSet with the KSK, and to sign the whole zone with the ZSK, all in one go.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list