opendnssec -> inline-signing
Randy Bush
randy at psg.com
Thu Mar 7 23:54:34 UTC 2024
> You DS and DNSKEY rrset are not matched. You
> need to publish the DS for the DNSKEY with key
> tag 3463.
>
> rg.net. 86256 IN DS 12391 8 2 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>
> rg.net. 3463 IN DNSKEY 256 3 8 (
> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
> OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd
> tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB
> KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2
> y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid
> bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0
> ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad
> kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8=
> ) ; ZSK; alg = RSASHA256 ; key id = 43431
> rg.net. 3463 IN DNSKEY 257 3 8 (
> AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa
> 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU
> dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p
> g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko
> 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05
> 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag
> 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b
> s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs=
> ) ; KSK; alg = RSASHA256 ; key id = 30790
> rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 (
> 20240321203948 20240307193948 30790 rg.net.
> OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l
> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4
> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl
> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD
> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts
> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd
> liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ
> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== )
>
>> https://git.rg.net/randy/randy/src/master/scratch.md
yes, we can see that, as we noted. and yes we could rekey 42 zones at
the parents; great fun.
but WHY NOT? same key sets with opendnssec and inline-signing, we
think.
randy
More information about the bind-users
mailing list