[Opendnssec-user] DS RR of KSK

Simon Mittelberger mittelberger at united-domains.de
Mon Oct 18 13:11:54 UTC 2010


I recently set up two instances of OpenDNSSEC and BIND on two differnet
machines (VMs). One for the domain's nameserver and the other one for
the subdomain's nameserver.
The signing of both zones works great and I can validate DNSSEC with dig
+sigchase if I hand over the trusted key of domain and subdomain.
What I am trying to achieve is to validate it by just handing over the
key of the parent zone, but the problem is, that I am not able to export
the DS RR of the KSK to the parent zone. The export of ZSK works just

The command I am issueing is the following:
ods-ksmutil key export --zone sub.domain.tld --keytype KSK
ods-ksmutil key export --zone sub.domain.tld --keytype KSK --ds

Both are just printintg: SQLIte database set
to /var/lib/opendnssec/db/kasp.db

I have used all the standard config files and just adopted the time
intervals a little.

I am running a debian lenny and installed OpenDNSSEC out of the sid
repository. OpenDNSSEC has version 1.1.0. SoftHSM is installed in
version 1.1.4.

I appreciate any hint. Thanks.

All the best,
Simon Mittelberger

More information about the Opendnssec-user mailing list