DNSSEC Keys - and trying to not leaving them around

Mark Elkins mje at posix.co.za
Wed Jan 12 15:07:29 UTC 2011

There are some parts of Key management with DNSSEC that I don't quite
get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and
running "dnssec-signzone  -3 "abcd" -o example.com -p -t -A example.com"

I believe that:-
1 - The KSK is used to sign the ZSK.
2 - The ZSK is used to sign the rest of the data in the zone.

(I'm a little unclear which parts of the KSK are needed to sign the ZSK
and which parts of the ZSK need to be around to sign the rest of the

On a virgin zone - you'd need the private parts of the ZSK and KSK's
available (either in the local directory or as the arg to a "-d").
Technically - the public parts (*.key) could be in the zone to be signed
- so don't need to be available any more. (ie - there was a "cat K*.key
>> zone")

Doesn't seem to work like that - as I'm getting the error (for each key)
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file co.za/NSEC3RSASHA1/64250: file not found

(64250 is the ZSK)
If I also have the *.key parts in the same directory - all works OK.

So the error message is lying to me!!! ??? - Bug?


So now I want to resign the zone. Its already signed. How can I do that
without having to have the Private KSK still around. I'd have thought
that I'd just perhaps need the Private ZSK around to re-sign new zone

(here I removed the KSK Private file - 9983)
I think this works - but I get the message:
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/NSEC3RSASHA1/9983: file not found

So why is dnssec-signzone worried about the private part of a KSK that
it (I believe) should not need? Bug?


My zone changes quite a bit - so what I was thinking to do is Sign a
very basic copy of the zone (SOA, NS records - not much else) - then
move the Private KSK's off the disk completely - then add in my
"dynamic" data and re-sign as often as I need (whenever my "dynamic"
data changes) with just my Private ZSK available.

After about 6 month (whatever) - I can then create a new KSK - bring
back my original 'off-disk' Private KSK - sign a new basic copy of my
zone - take the two Private KSK's offline and go through the whole KSK
roll-over process. ie - I only have the private part of the KSK on the
disk for a very short time - usually its off-site. I should be able to
generate my very basic zone on a completely different server - perhaps
not connected to the Internet at all - and just (via USB stick) copy
over the basic signed zone every six months?

I'm just worried about the earlier error messages

Can someone please explain? (What is needed when)
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6696 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110112/7ff2eaee/attachment.bin>

More information about the bind-users mailing list