auto-dnssec maintain: KSK being used as a ZSK as well?
Kyle Brantley
kyle at averageurl.com
Fri Dec 21 22:52:01 UTC 2012
I've generated a KSK as well as a ZSK and configured bind to maintain
the keys.
# named.conf
options {
[...]
dnssec-enable yes;
dnssec-validation yes;
dnssec-secure-to-insecure yes;
dnssec-dnskey-kskonly yes;
}
[...]
zone "averageurl.com." IN {
type master;
file "data/averageurl.com.zone";
allow-transfer { key inter-server-key; };
update-policy {
grant local-ddns zonesub any;
};
key-directory "keys/averageurl.com";
auto-dnssec maintain;
};
However, when bind goes through and does the actual zone signing, it
appears as if the KSK is signing the ZSK(s) and the actual zone data as
well (see: http://dnsviz.net/d/averageurl.com/dnssec/).
Am I missing something obvious here? I would like the KSK to sign just
the ZSKs... but aside from setting dnssec-dnskey-kskonly (which I've
done) I can't see anything that I'm missing here.
OS and bind versions:
# rpm -qa | grep bind
bind-libs-9.8.2-0.10.rc1.el6_3.6.x86_64
bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64
bind-9.8.2-0.10.rc1.el6_3.6.x86_64
# uname -a
Linux 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012
x86_64 x86_64 x86_64 GNU/Linux
Any help would be appreciated...
--Kyle
More information about the bind-users
mailing list