ksk in a volume
Mark Andrews
marka at isc.org
Tue Jun 14 02:19:51 UTC 2011
Add 'key-directory "<location>";' to named.conf so named knows where
to look for the K* files. This is settable a zone/view/option
levels.
As for storing K* files on another machine, if the zone is updatable
there is no point in doing so.
Mark
In message <4DF649B5.600 at noelrocha.com>, Noel Rocha writes:
> Hello,
>
> I'm having this error after add RR using nsupdate:
> named[18254]: dns_dnssec_findzonekeys2: error reading private key file
> my.zone.com/NSEC3RSASHA1/42969: file not found
>
> Keytag 42969 is the KSK.
>
> My named.conf is setup with the KSK to sign only dnskey:
> -------------------------------------------------
> options {
> [..]
> dnssec-dnskey-kskonly yes;
> update-check-ksk yes;
> }
> -------------------------------------------------
>
> Can't I store private ksk in my other machine for secutiry questions?
> Can I ignoring this error?
>
> Recommendations?
>
> Thanks in advance,
> Noel Rocha
>
> On 06/10/2011 01:11 PM, Noel Rocha wrote:
> > Hello,
> >
> > I have a question about dnssec when zones are dynamically updated and
> > very time are changed for users.
> >
> > KSK needs be stored in "key-directory"? I want to store in unmounted
> > volume and I will mount when is need.
> >
> > P.S: I have some KSKs and ZSKs.
> >
> > Thanks in advance,
> > Noel Rocha
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list