[Opendnssec-user] Signer Engine?

Jakob Schlyter jakob at kirei.se
Fri Aug 21 13:18:47 UTC 2009

On 21 aug 2009, at 14.02, B C wrote:

> So I guess the 2*2048 bit keys are my KSK
> However if I try and extract my KSK DNSKEY for publication with:
> hsmutil dnskey d000af9031cbca0caeec04df9b947936 pwei.net
> I get a ZSK, and in fact running hsmutil against any of the above ID's
> results in a ZSK, (Note I can confirm that my zone does have some
> KSK's with the 257 flag in it)

since hsmutil doesn't know anything about the keys use, it actually  
just sets 256 as the flags and sets the domain name to what you set on  
the command line. I hope we can add a proper key export command to  
ksmutil that will export the keys properly (and possible the DS of the  
KSKs as well).


More information about the Opendnssec-user mailing list