[Opendnssec-user] Signer Engine?
Jakob Schlyter
jakob at kirei.se
Fri Aug 21 13:18:47 UTC 2009
On 21 aug 2009, at 14.02, B C wrote:
> So I guess the 2*2048 bit keys are my KSK
>
> However if I try and extract my KSK DNSKEY for publication with:
>
> hsmutil dnskey d000af9031cbca0caeec04df9b947936 pwei.net
>
> I get a ZSK, and in fact running hsmutil against any of the above ID's
> results in a ZSK, (Note I can confirm that my zone does have some
> KSK's with the 257 flag in it)
since hsmutil doesn't know anything about the keys use, it actually
just sets 256 as the flags and sets the domain name to what you set on
the command line. I hope we can add a proper key export command to
ksmutil that will export the keys properly (and possible the DS of the
KSKs as well).
jakob
More information about the Opendnssec-user
mailing list