Tried to include DNSKEY, RRSIG for the KSK manually in the unsigned zone
file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key).
The dnssec-signzone succeeded, even though it was complaining about the
path for KSK.
# dnssec-signzone-pkcs11 example.com
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/RSASHA256/23456: file not found
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....
example.com. 3600 IN DNSKEY 257 3 8
AwEAAZt2BKCYKvu6Avr.....
But when I tried to include the same unsigned zone file and used rndc tool
(rndc sign example.com) or named restart the signed zone file generated
does not have the DNSKEY for KSK.
# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....
Any ideas?
--
arun
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
