ZSK pre-publish

CT groups at obsd.us
Sat Oct 1 08:25:58 UTC 2011


> I have a few static zones that I sign via script
> keydir = directory for both KSK and ZSK
> $zone = zone file
> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone
>
>
> Fetching KSK 4054/RSASHA256 from key repository.
> Fetching ZSK 36948/RSASHA256 from key repository.
> Fetching ZSK 65304/RSASHA256 from key repository.
> Verifying the zone using the following algorithms: RSASHA256.
> Zone signing complete:
> Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
>                                        ZSKs: 2 active, 0 stand-by, 0 
> revoked
>
>
> My question is that both zsk's are published, how do I make 1 standby
>
> Thx
> CT
>
>
To be more specific , can I do this with the dnssec-signzone tool versus a
$include/stand-by-key
in the zone file
Thx
CT



More information about the bind-users mailing list