[Opendnssec-user] Signer Engine?

B C brettlists at gmail.com
Fri Aug 21 13:57:22 UTC 2009

On Fri, Aug 21, 2009 at 2:18 PM, Jakob Schlyter<jakob at kirei.se> wrote:
> On 21 aug 2009, at 14.02, B C wrote:
>> So I guess the 2*2048 bit keys are my KSK
>> However if I try and extract my KSK DNSKEY for publication with:
>> hsmutil dnskey d000af9031cbca0caeec04df9b947936 pwei.net
>> I get a ZSK, and in fact running hsmutil against any of the above ID's
>> results in a ZSK, (Note I can confirm that my zone does have some
>> KSK's with the 257 flag in it)
> since hsmutil doesn't know anything about the keys use, it actually just
> sets 256 as the flags and sets the domain name to what you set on the
> command line. I hope we can add a proper key export command to ksmutil that
> will export the keys properly (and possible the DS of the KSKs as well).

Thanks Jakob, that's a little clearer now and indeed I think a proper
key export command is essential, but just to be clear I am exporting
the correct keys here right? I can use them in a bind/unbound resolver
config to auth the signatures that the signer engine is adding to my


>        jakob

More information about the Opendnssec-user mailing list