"@lbutlr" <krem...@kreme.com> writes: > On 2022 Apr 10, at 05:37, Bjørn Mork <bj...@mork.no> wrote: >> "@lbutlr" <krem...@kreme.com> writes: >> >>> # dnssec-keygen -a 13 example,com >>> # dnssec-keygen -f KSK -a 13 example,com >>> >>> Add $INLCUDE to the zone file for each of these 4 keys. >> >> 4? You've generated 2 key pairs. There should be only 2 public keys >> included in the zone. > > Ah, right, of course. I knew it was something dumb. > >> But I can recommend the automated zone maintenance instead, either using >> the modern "dnssec-policy": > > I do have that set, but getting the domain setup in the first place seemed to > still be necessary.
Should not be required. Keys will be generated and published according to the policy, and the zone will be automatically signed. See: https://kb.isc.org/docs/dnssec-key-and-signing-policy > Now to find the DS key... If you use the default policy then you'll have a CDS record for your upstream. Or you can run dnssec-dsfromkey Kexample.com.+013+*.key (replacing the input with your public KSK file, of course) Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
