dnssec-signzone ignoring "-x" option?

Paul Wouters paul at cypherpunks.ca
Mon Sep 17 20:58:36 UTC 2012


I'm looking at creating "identical zones" with two independantly
developed dnssec signers (bind + opendnssec). I stumbled upon three
differences, one of which might be a bug in bind.

opendnssec does not easilly allow the DNSKEY RRset to be signed with
both KSK and ZSK. So I was looking at using the "-x" option with
dnssec-signzone, but it seems that at least for my commandline
invocation, that this option is completely ignored. The version used
is 9.7.4.

Does anyone use dnssec-signzone with -x? If so, can you check/tell me
your DNSKEY RRset? And if it works, could you reveal the full
commandline argument used, the bind version, and whether any pkcs#11
provider was compiled in?



More information about the bind-users mailing list