[Opendnssec-develop] Signer conf

Jakob Schlyter jakob at kirei.se
Sun Jun 7 19:15:26 UTC 2009

On 7 jun 2009, at 15.39, Rickard Bondesson wrote:

> Or isn't it that publish for the signer means publish the key but do  
> not use it for signing?

publish means "include this key in the zonefile". nothing more,  
nothing less.

> And if the publish tag is not present then use the key for signing?

whether the key is used for signing is completely orthogonal to  
whether it is published or not. signconf.rnc says:

	# sign all the DNSKEY RRsets with this key?
	element KSK { empty }?,

	# sign all non-DNSKEY RRsets with this key?
	element ZSK { empty }?,

	# include this key in the zonefile?
	element Publish { empty }?

these are all binary flags - any combination of the above is possible  
(but might not make sense).
i.e. a normal key signing key would have <KSK> AND <Publish>.

but IIRC we've previously decided that we do not sign the DNSKEY RRset  
with a <ZSK>, since we don't really have to.

> How about the revoke bit?

the revoke bit it just a part of the <Flags> and is set by the  
enforcer for revoked keys if the KASP states that 5011 should be used.


More information about the Opendnssec-develop mailing list