On Dec 22, 2012, at 10:03 AM, Kyle Brantley <k...@averageurl.com> wrote:
> On 12/21/2012 3:56 PM, Alan Clegg wrote:
>> On Dec 22, 2012, at 9:52 AM, Kyle Brantley <k...@averageurl.com> wrote:
>>
>>> # named.conf
>>> options {
>>> [...]
>>> dnssec-enable yes;
>>> dnssec-validation yes;
>>> dnssec-secure-to-insecure yes;
>>> dnssec-dnskey-kskonly yes;
>>> }
>> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
>> a(nother) ZSK.
>>
>> Don't do that. Also, unless you are planning on deleting the DNSKEY
>> resource records, get rid of the "secure-to-insecure" as well.
> Initially I didn't have the directive in there at all and it was still doing
> this. I added it in to see if it would help resolve the problem. I've flipped
> it to no and resigned the zone... but it's still using the ZSK as a KSK. I
> also re-tried it without the directive at all, and it is still using the ZSK
> as a KSK.
BIND won't sign with the KSK in the way shown unless that directive was there
(or it was a static zone and it was signed with the KSK instead of the ZSK (and
then, only when forced).
> re: secure-to-insecure: I'll be removing this statement once I get these keys
> working properly. At the moment, that's how I'm resigning the zone: delete
> the DNSKEY records via nsupdate and then re-add them.
That's not resigning a zone, that's destroying a zone and rebuilding on the
rubble.
I haven't watched it, but you may find the presentation link on this page
useful:
http://www.nanog.org/meetings/nanog50/abstracts.php?pt=MTY3NSZuYW5vZzUw&nm=nanog50
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
