dnssec - DS vs dnssec-signkey

Mark_Andrews at isc.org Mark_Andrews at isc.org
Mon Nov 4 23:26:40 UTC 2002

> bind 9.3 snapshot no longer compiles the dnssec-signkey/makekeyset files.
> I take that this is because we don't need them anymore, due to DS.

	Well keysets still need to be sent to the parent.  Whether we need
	to send self-signed keyset or verify them some other way is up to
	the parent.
> It seems that dnssec-signzone magically finds the right key to reference
> in the DS. I'm guessing that this is due to presence of the keyset- files?

	Yes.  They are used to generate DS records if they are not otherwise
	present in the zone.

> ]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls 
>  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architec
> t[
> ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
>  [
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
> iQCVAwUBPcb90YqHRg3pndX9AQF2AQP+LZ6l6FXrfypbGcc9o1nwgvn42QSiVEoM
> DXLW1hsSbwJvfdoK9yq6MGiz8WrD8x9Im9LEcxU8Xw8agMxY24nWv8R1wZGvkrsy
> TQbFbP9E3ZDTZ8Cd0OxJMANCoSCSOZpQMZBLf8b59mrmnp/6jH3sbhN5IgJZlFwz
> c+5InjZ+IAE=
> =Ghxi
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-workers mailing list