[Opendnssec-user] Instalation notes for OpenDNSSEC 1.0a3 on Ubuntu server 8.04.3

Jakob Schlyter jakob at kirei.se
Thu Sep 10 13:20:55 UTC 2009

On 10 sep 2009, at 12.16, Antoin Verschuren wrote:

> - -I don't see any commenting of the key-id's in the resulting  
> signed zone for the DNSKEY records.
> Though not needed for things to work, I think this is handy for bug  
> tracing.
> Is this an option, or not considered to be implemented at all ?

it's not implemented, but it should be easy to add if needed. btw, do  
you want the keytag or the OpenDNSSEC key ID?

> - -dnssec-signzone signs the DNSKEY RR-set with both KSK as ZSK.
> I see in my result from OpenDNSSEC over the DNSKEY RR-set only one  
> RRSIG, assuming that this is the signature from the KSK since the  
> key-id is different from all the other RRSIG's.


> Is this difference in behavior documented anywhere ?

I don't think so - do we need to document this? I never understood why  
the BIND tools signs the DNSKEY RRset with the ZSK, that signature is  
never used.


More information about the Opendnssec-user mailing list