How to keep the KSK private key offline with BIND dynamic signing?

Arun N S arun at arunns.com
Sun Jan 24 13:07:05 UTC 2016


Tried to  include DNSKEY, RRSIG for the KSK manually in the unsigned zone
file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key).
The dnssec-signzone succeeded, even though it was complaining about the
path for KSK.

# dnssec-signzone-pkcs11 example.com
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/RSASHA256/23456: file not found
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked

# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com.                 3600    IN      DNSKEY  256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....
example.com.                 3600    IN      DNSKEY  257 3 8
AwEAAZt2BKCYKvu6Avr.....

But when I tried to include the same unsigned zone file and used rndc tool
(rndc sign example.com) or named restart the signed zone file generated
does not have the DNSKEY for KSK.

# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com.                 3600    IN      DNSKEY  256 3 8
AwEAAdkaiQFx+JpWOla3vhucotyePO/....

Any ideas?

--
arun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160124/39ceb896/attachment.html>


More information about the bind-users mailing list