dnssec-keygen question

Evan Hunt each at isc.org
Tue Jun 30 17:58:12 UTC 2009

> I want to create a set of keys using dnssec-keygen.
> I wonder if it's possible to create one KSK key and a set of ZSK's
> and then to sign the ZSK set with the active KSK.

I'm not sure why you need a "set of" ZSK's.  One should be enough unless
you're using multiple signing algorithms.

> Finally what I want is to invoke to dnssec-signzone without using
> explicitly the KSK.
> - is there another way to proceed?
> - was it the functionality of dnssec-signkey?

Yes, that's possible.  You can run dnssec-signzone in phases; it will sign
the zone with the keys it has available to it in each pass.  Something like

$ ksk=`dnssec-keygen -a RSASHA1 -b 2048 -f KSK example.com`
$ zsk=`dnssec-keygen -a RSASHA1 -b 1024 example.com`
$ cat ${ksk}.key ${zsk}.key >> example.com
$ dnssec-signzone example.com ${ksk}
$ dnssec-signzone -o example.com -f example.com.signed example.com.signed ${zsk}

The first call to dnssec-signzone signs the DNSKEY set using the KSK.
The second call signs the rest of the zone--as well as the previously-
signed DNSKEY set--using the ZSK. (That's why the -o and -f options are
there--the second time around, it's reading in the zone from the
previously-signed version, not from the master source.)

After this, if you like, you can move your KSK to a secure location.
Whenever you change the DNSKEY set (for instance, by rolling to a new
ZSK), you repeat this process.

Note that in future releases (9.6.2 and higher) you'll need to add
the -P option (meaning "partial") to dnssec-signzone for this to work.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list