How to keep the KSK private key offline with BIND dynamic signing?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How to keep the KSK private key offline with BIND dynamic signing?

arun
Tried to  include DNSKEY, RRSIG for the KSK manually in the unsigned zone file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key). The dnssec-signzone succeeded, even though it was complaining about the path for KSK.

# dnssec-signzone-pkcs11 example.com
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading private key file example.com/RSASHA256/23456: file not found
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked

# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com.                 3600    IN      DNSKEY  256 3 8 AwEAAdkaiQFx+JpWOla3vhucotyePO/....
example.com.                 3600    IN      DNSKEY  257 3 8 AwEAAZt2BKCYKvu6Avr.....

But when I tried to include the same unsigned zone file and used rndc tool (rndc sign example.com) or named restart the signed zone file generated does not have the DNSKEY for KSK.

# dig @localhost example.com dnskey +dnssec
;; ANSWER SECTION:
example.com.                 3600    IN      DNSKEY  256 3 8 AwEAAdkaiQFx+JpWOla3vhucotyePO/....

Any ideas?

--
arun

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users