On 12/21/2012 7:37 PM, Alan Clegg wrote:
On Dec 22, 2012, at 12:42 PM, Evan Hunt <e...@isc.org> wrote:
By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
a(mother) ZSK.
You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells
named not to use the ZSK when it signs the DNSKEY RRset, but it should
still use the ZSK (and not the KSK) for all the other data in the zone.
Eh, yep. Thanks for that catch, Evan.
I think we may have found the problem "off-list" and it may be another thing
for the signer to look into... more in a bit.
AlanC
Aye. Thanks, Alan, for the help. The problem was that I was generating a
RSASHA512 for my KSK, but I was using NSEC3RSASHA1 for my ZSKs. I
generated a temporary ZSK that was also RSASHA512 to match my KSK and it
is working great now.
Now to go decimate the entropy on my box for a bit to generate some more
RSASHA512 keys...
--Kyle
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
