<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 10/01/2011 04:40 AM, Matthew Seaman wrote:
<blockquote cite="mid:4E86E019.6010506@infracaninophile.co.uk"
type="cite">
<pre wrap="">On 01/10/2011 09:25, CT wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I have a few static zones that I sign via script
keydir = directory for both KSK and ZSK
$zone = zone file
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone
Fetching KSK 4054/RSASHA256 from key repository.
Fetching ZSK 36948/RSASHA256 from key repository.
Fetching ZSK 65304/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 2 active, 0 stand-by, 0 revoked
My question is that both zsk's are published, how do I make 1 standby
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">To be more specific , can I do this with the dnssec-signzone tool versus a
$include/stand-by-key
in the zone file
</pre>
</blockquote>
<pre wrap="">
The trick is to use dnssec-settime modify the dates built into your key
by dnssec-keygen. Or equivalently to use dnssec-keygen with appropriate
flags to set the 'Activate' date (not to mention Inactive and Delete)
some time in the future.
So --- this key is active now:
% dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
Created: Sat Aug 13 07:40:28 2011
Publish: Sat Aug 13 07:40:28 2011
Activate: Sat Sep 10 07:40:28 2011
Revoke: UNSET
Inactive: Sat Oct 8 07:40:28 2011
Delete: Sat Oct 8 07:40:28 2011
but this key is only published and will activate in a week:
% dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
Created: Sat Sep 10 09:01:24 2011
Publish: Thu Jan 1 01:00:00 1970
Activate: Sat Oct 8 09:01:24 2011
Revoke: UNSET
Inactive: Sat Nov 5 08:01:24 2011
Delete: Sat Nov 5 08:01:24 2011
dnssec-signzone will grok all the built-in dates and do the right thing
when you sign the zone.
Cheers,
Matthew
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
Matthew.. <br>
I have never usedthe dnssec-settime before..<br>
Thank you ..<br>
CT<br>
</body>
</html>