dnssec - DS vs dnssec-signkey

Jakob Schlyter jakob at crt.se
Mon Nov 4 23:31:03 UTC 2002

On Mon, 4 Nov 2002, Michael Richardson wrote:

> It seems that dnssec-signzone magically finds the right key to reference
> in the DS. I'm guessing that this is due to presence of the keyset- files?

dnssec-signzone looks for keyset- files in the directory specified using
the '-d' option. if it finds a keyset-child.domain file, it will create a
DS record using the keys found in this file. it will also create a keyset-
file for it's own domain, usable for sending to the parent.

in my test system, I generate the DS records myself using perl and
Net::DNS. that way I don't depend on having keyset- files in the

I'm considering adding an option to dnssec-signzone so that it doesn't
look for the keyset- files. I guess the probing for files (using stat)
shouldn't be a problem, but it should give some (although small) speedup
for a zone with 100k+ delegations.


More information about the bind-workers mailing list