ZSK pre-publish
Torinthiel
torinthiel at data.pl
Mon Oct 3 12:45:05 UTC 2011
On 2011-10-01 11:40, Matthew Seaman wrote:
>
> The trick is to use dnssec-settime modify the dates built into your key
> by dnssec-keygen. Or equivalently to use dnssec-keygen with appropriate
> flags to set the 'Activate' date (not to mention Inactive and Delete)
> some time in the future.
>
> So --- this key is active now:
>
> % dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
> Created: Sat Aug 13 07:40:28 2011
> Publish: Sat Aug 13 07:40:28 2011
> Activate: Sat Sep 10 07:40:28 2011
> Revoke: UNSET
> Inactive: Sat Oct 8 07:40:28 2011
> Delete: Sat Oct 8 07:40:28 2011
>
> but this key is only published and will activate in a week:
>
> % dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
> Created: Sat Sep 10 09:01:24 2011
> Publish: Thu Jan 1 01:00:00 1970
> Activate: Sat Oct 8 09:01:24 2011
> Revoke: UNSET
> Inactive: Sat Nov 5 08:01:24 2011
> Delete: Sat Nov 5 08:01:24 2011
>
> dnssec-signzone will grok all the built-in dates and do the right thing
> when you sign the zone.
BTW, how does dnssec-signzone behave when you pass -s option? Does it
take into account that date when determining whether to use/publish key?
Can one for example generate signatures for the future using
dnssec-signzone, or is it possible only with careful manual inclusion?
Regards,
Torinthiel
More information about the bind-users
mailing list