AW: How to prepublish additional DNSKEY
Shumon Huque
shuque at gmail.com
Thu Jul 9 11:43:50 UTC 2020
On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <
daniel.stirnimann at switch.ch> wrote:
>
> On 09.07.20 11:51, Klaus Darilion wrote:
> >>> So, how is the correct process to add an additional DNSKEY (only the
> public
> >> key is known).
> >>
> >> I think you are looking for `dnssec-importkey`.
> >
> > Indeed. I imported the key and got a .key and .private file. I put those
> files in the same directory as the other keys, gave read permissions to
> bind and executed:
> > rndc loadkeys myzone
> > rndc sign myzone
> >
> > But the additional key is not added to the reponse of DNSKEY queries.
>
> Does the key have correct timing metadata in the key file?
>
> Have a look at "dnssec-settime".
>
You can also set the timing metadata with dnssec-importkey itself (so that
you don't have to separately run dnssec-settime), e.g. to activate key 5
minutes from now:
dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key
Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200709/831ef383/attachment.htm>
More information about the bind-users
mailing list