On 01/10/2011 09:25, CT wrote: > >> I have a few static zones that I sign via script >> keydir = directory for both KSK and ZSK >> $zone = zone file >> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone >> >> >> Fetching KSK 4054/RSASHA256 from key repository. >> Fetching ZSK 36948/RSASHA256 from key repository. >> Fetching ZSK 65304/RSASHA256 from key repository. >> Verifying the zone using the following algorithms: RSASHA256. >> Zone signing complete: >> Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked >> ZSKs: 2 active, 0 stand-by, 0 >> revoked >> >> >> My question is that both zsk's are published, how do I make 1 standby
> To be more specific , can I do this with the dnssec-signzone tool versus a > $include/stand-by-key > in the zone file The trick is to use dnssec-settime modify the dates built into your key by dnssec-keygen. Or equivalently to use dnssec-keygen with appropriate flags to set the 'Activate' date (not to mention Inactive and Delete) some time in the future. So --- this key is active now: % dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private Created: Sat Aug 13 07:40:28 2011 Publish: Sat Aug 13 07:40:28 2011 Activate: Sat Sep 10 07:40:28 2011 Revoke: UNSET Inactive: Sat Oct 8 07:40:28 2011 Delete: Sat Oct 8 07:40:28 2011 but this key is only published and will activate in a week: % dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private Created: Sat Sep 10 09:01:24 2011 Publish: Thu Jan 1 01:00:00 1970 Activate: Sat Oct 8 09:01:24 2011 Revoke: UNSET Inactive: Sat Nov 5 08:01:24 2011 Delete: Sat Nov 5 08:01:24 2011 dnssec-signzone will grok all the built-in dates and do the right thing when you sign the zone. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users