AW: AW: How to prepublish additional DNSKEY
Klaus Darilion
klaus.darilion at nic.at
Wed Jul 15 12:30:15 UTC 2020
Thanks - now it works.
Klaus
Von: Shumon Huque <shuque at gmail.com>
Gesendet: Donnerstag, 9. Juli 2020 13:44
An: Daniel Stirnimann <daniel.stirnimann at switch.ch>
Cc: Klaus Darilion <klaus.darilion at nic.at>; bind-users at lists.isc.org
Betreff: Re: AW: How to prepublish additional DNSKEY
On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <daniel.stirnimann at switch.ch<mailto:daniel.stirnimann at switch.ch>> wrote:
On 09.07.20 11:51, Klaus Darilion wrote:
>>> So, how is the correct process to add an additional DNSKEY (only the public
>> key is known).
>>
>> I think you are looking for `dnssec-importkey`.
>
> Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
> rndc loadkeys myzone
> rndc sign myzone
>
> But the additional key is not added to the reponse of DNSKEY queries.
Does the key have correct timing metadata in the key file?
Have a look at "dnssec-settime".
You can also set the timing metadata with dnssec-importkey itself (so that you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:
dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key
Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200715/8eb13901/attachment.htm>
More information about the bind-users
mailing list