auto-dnssec maintain: KSK being used as a ZSK as well?
kyle at averageurl.com
Sat Dec 22 02:50:43 UTC 2012
On 12/21/2012 7:37 PM, Alan Clegg wrote:
> On Dec 22, 2012, at 12:42 PM, Evan Hunt <each at isc.org> wrote:
>>> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
>>> a(mother) ZSK.
>> You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells
>> named not to use the ZSK when it signs the DNSKEY RRset, but it should
>> still use the ZSK (and not the KSK) for all the other data in the zone.
> Eh, yep. Thanks for that catch, Evan.
> I think we may have found the problem "off-list" and it may be another thing for the signer to look into... more in a bit.
Aye. Thanks, Alan, for the help. The problem was that I was generating a
RSASHA512 for my KSK, but I was using NSEC3RSASHA1 for my ZSKs. I
generated a temporary ZSK that was also RSASHA512 to match my KSK and it
is working great now.
Now to go decimate the entropy on my box for a bit to generate some more
More information about the bind-users