ZSK pre-publish

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Oct 1 09:40:41 UTC 2011 

On 01/10/2011 09:25, CT wrote:
> 
>> I have a few static zones that I sign via script
>> keydir = directory for both KSK and ZSK
>> $zone = zone file
>> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone
>>
>>
>> Fetching KSK 4054/RSASHA256 from key repository.
>> Fetching ZSK 36948/RSASHA256 from key repository.
>> Fetching ZSK 65304/RSASHA256 from key repository.
>> Verifying the zone using the following algorithms: RSASHA256.
>> Zone signing complete:
>> Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
>>                                        ZSKs: 2 active, 0 stand-by, 0
>> revoked
>>
>>
>> My question is that both zsk's are published, how do I make 1 standby

> To be more specific , can I do this with the dnssec-signzone tool versus a
> $include/stand-by-key
> in the zone file

The trick is to use dnssec-settime modify the dates built into your key
by dnssec-keygen.  Or equivalently to use dnssec-keygen with appropriate
flags to set the 'Activate' date (not to mention Inactive and Delete)
some time in the future.

So --- this key is active now:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
Created: Sat Aug 13 07:40:28 2011
Publish: Sat Aug 13 07:40:28 2011
Activate: Sat Sep 10 07:40:28 2011
Revoke: UNSET
Inactive: Sat Oct  8 07:40:28 2011
Delete: Sat Oct  8 07:40:28 2011

but this key is only published and will activate in a week:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
Created: Sat Sep 10 09:01:24 2011
Publish: Thu Jan  1 01:00:00 1970
Activate: Sat Oct  8 09:01:24 2011
Revoke: UNSET
Inactive: Sat Nov  5 08:01:24 2011
Delete: Sat Nov  5 08:01:24 2011

dnssec-signzone will grok all the built-in dates and do the right thing
when you sign the zone.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111001/69c7f563/attachment.bin>

More information about the bind-users mailing list