[Opendnssec-user] Instalation notes for OpenDNSSEC 1.0a3 on Ubuntu server 8.04.3
Jakob Schlyter
jakob at kirei.se
Thu Sep 10 13:20:55 UTC 2009
On 10 sep 2009, at 12.16, Antoin Verschuren wrote:
> - -I don't see any commenting of the key-id's in the resulting
> signed zone for the DNSKEY records.
> Though not needed for things to work, I think this is handy for bug
> tracing.
> Is this an option, or not considered to be implemented at all ?
it's not implemented, but it should be easy to add if needed. btw, do
you want the keytag or the OpenDNSSEC key ID?
> - -dnssec-signzone signs the DNSKEY RR-set with both KSK as ZSK.
> I see in my result from OpenDNSSEC over the DNSKEY RR-set only one
> RRSIG, assuming that this is the signature from the KSK since the
> key-id is different from all the other RRSIG's.
correct.
> Is this difference in behavior documented anywhere ?
I don't think so - do we need to document this? I never understood why
the BIND tools signs the DNSKEY RRset with the ZSK, that signature is
never used.
jakob
More information about the Opendnssec-user
mailing list