ZSK pre-publish

CT groups at obsd.us
Sat Oct 1 13:14:11 UTC 2011 

On 10/01/2011 04:40 AM, Matthew Seaman wrote:
> On 01/10/2011 09:25, CT wrote:
>>> I have a few static zones that I sign via script
>>> keydir = directory for both KSK and ZSK
>>> $zone = zone file
>>> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone
>>>
>>>
>>> Fetching KSK 4054/RSASHA256 from key repository.
>>> Fetching ZSK 36948/RSASHA256 from key repository.
>>> Fetching ZSK 65304/RSASHA256 from key repository.
>>> Verifying the zone using the following algorithms: RSASHA256.
>>> Zone signing complete:
>>> Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
>>>                        ZSKs: 2 active, 0 stand-by, 0 revoked
>>>
>>>
>>> My question is that both zsk's are published, how do I make 1 standby
>> To be more specific , can I do this with the dnssec-signzone tool versus a
>> $include/stand-by-key
>> in the zone file
> The trick is to use dnssec-settime modify the dates built into your key
> by dnssec-keygen.  Or equivalently to use dnssec-keygen with appropriate
> flags to set the 'Activate' date (not to mention Inactive and Delete)
> some time in the future.
>
> So --- this key is active now:
>
> % dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
> Created: Sat Aug 13 07:40:28 2011
> Publish: Sat Aug 13 07:40:28 2011
> Activate: Sat Sep 10 07:40:28 2011
> Revoke: UNSET
> Inactive: Sat Oct  8 07:40:28 2011
> Delete: Sat Oct  8 07:40:28 2011
>
> but this key is only published and will activate in a week:
>
> % dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
> Created: Sat Sep 10 09:01:24 2011
> Publish: Thu Jan  1 01:00:00 1970
> Activate: Sat Oct  8 09:01:24 2011
> Revoke: UNSET
> Inactive: Sat Nov  5 08:01:24 2011
> Delete: Sat Nov  5 08:01:24 2011
>
> dnssec-signzone will grok all the built-in dates and do the right thing
> when you sign the zone.
>
> 	Cheers,
>
> 	Matthew
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Matthew..
I have never usedthe dnssec-settime before..
Thank you ..
CT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111001/fb064683/attachment.html>

More information about the bind-users mailing list