On 12/05/12 00:27, Daniel Salzman wrote:
> Hi,
Hi,
>
> I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use
> DelegationSignerSubmitCommand option
> for starting my external program, I am missing any information about key
> identifier relating to DNSKEY record,
> that should be subsequently used for key ds-seen. Although there is
> possibility to compute key_id manually,
> this is not ideal approach due to ambiguity. It would be useful to add
> CKA_ID in comment to DelegationSignerSubmitCommand
> parameter (if required in configuration).
When phased to the same issue, we provided a change to OpenDNSSEC to
include the CKA_ID into the ods-ksmutil key export output.
Our test system produces the following
ods-ksmutil key export --zone nz
SQLite database set to: /var/opendnssec/kasp.db
;active KSK DNSKEY record:
; CKA_ID: a6a5695ca0ebaaa741f2b552889fd502
nz. 3600 IN DNSKEY 257 3 8
AwEAAaT0q51/JlyU37rJl/12ji5Qx/64oeftxIHpOMDVbCwOs1VWHeuGcZhwA8SBd9iCYGNMzcZptjMUd0C2DaJsbfhFFmIyUdq39s1qKYdo41HajX7NQIxb89C+SQIlsuVs0mNrPHjiczm2KFkM7oY8D3nORJCEDxglc4+NxZuaDgVlTqFXVqzgg/y5z3LLySou4XA1g5mpGaf5M+DUwWa/zs9aWF5M88y9JzpacuXcCzY0H7bvsOn/0/qlTlrecpMUt3sSpLHcE4idFjn8xK3BCEVDWlXXQDIweU07d6Sg6GhYtbbNp8l3Y7dw9XjLGOF2Xts9VRzBwBcELwb0R4AkiO0=
;{id = 21091 (ksk), size = 2048b}
If I recall correctly, the DelegationSignerSubmitCommand receives that
output, that would allow you to match the right DNSKEY with the DS record.
Cheers,
>
> Thanks
> Dan
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user@lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
