Signing with the KSK and ZSK
cbuxton at menandmice.com
Tue Dec 8 13:43:34 UTC 2009
On Dec 8, 2009, at 2:03 AM, xu dong wrote:
> Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following:
> dnssec-signzone -o domain-name -t -k KSK zone-name ZSK
> but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do?
Why do you want to sign with one key at a time? The default behavior is to sign just the dnskey RRSet with the KSK, and to sign the whole zone with the ZSK, all in one go.
Men & Mice
More information about the bind-users