auto-dnssec maintain: KSK being used as a ZSK as well?
Kyle Brantley
kyle at averageurl.com
Fri Dec 21 23:03:10 UTC 2012
On 12/21/2012 3:56 PM, Alan Clegg wrote:
> On Dec 22, 2012, at 9:52 AM, Kyle Brantley <kyle at averageurl.com> wrote:
>
>> # named.conf
>> options {
>> [...]
>> dnssec-enable yes;
>> dnssec-validation yes;
>> dnssec-secure-to-insecure yes;
>> dnssec-dnskey-kskonly yes;
>> }
> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as a(nother) ZSK.
>
> Don't do that. Also, unless you are planning on deleting the DNSKEY resource records, get rid of the "secure-to-insecure" as well.
>
> AlanC
Initially I didn't have the directive in there at all and it was still
doing this. I added it in to see if it would help resolve the problem.
I've flipped it to no and resigned the zone... but it's still using the
ZSK as a KSK. I also re-tried it without the directive at all, and it is
still using the ZSK as a KSK.
re: secure-to-insecure: I'll be removing this statement once I get these
keys working properly. At the moment, that's how I'm resigning the zone:
delete the DNSKEY records via nsupdate and then re-add them.
--Kyle
More information about the bind-users
mailing list