[Opendnssec-develop] ZKT migration page

Rickard Bellgrim rickard at opendnssec.org
Wed Apr 18 07:35:53 UTC 2012

On Mon, Apr 16, 2012 at 12:16 AM, Rick van Rein <rick at openfortress.nl> wrote:
> Hello,
> I've finished the promised documentation page on migration
> from ZKT to OpenDNSSEC.  Feedback or updates are most welcome.


I have some comments below:

You should remove the line "$INCLUDE dnskey.db" from your zone.db
file, as OpenDNSSEC will insert DNSKEY records by itself, while
signing your zone.  Forget this, and the signer will not be able to
load your zone file.

OpenDNSSEC can handle duplicate DNSKEY (DNSKEY in unsigned zone
matches DNSKEY in signconf). So the issue was probably the path to the
include file or that the Auditor does not support $INCLUDE. Think this
section can be clarified. E.g. by just saying that OpenDNSSEC will add
the DNSKEY RRset itself and does not need to be included in the
unsigned zone.

--algorithm 5

The value should come from SCHEME, right?

Note that you may find that you have more than one KSK, and/or more
than one ZSK.  Assuming that all are active, you would import them
all.  You may need to vary the --keystate parameter in other cases, or
make a clever decision to leave out those keys.

It is not a good idea to import multiple active keys, since OpenDNSSEC
only handles one active KSK and one active ZSK. Will ZKT ever have
multiple active keys? If not, then just say that --keystate needs to
adjusted for the other keys.

// Rickard

More information about the Opendnssec-develop mailing list