[Opendnssec-user] DS RR of KSK
Hugo Salgado
hsalgado at nic.cl
Tue Oct 19 14:40:23 UTC 2010
On 10/19/2010 05:42 AM, Sion Lloyd wrote:
>
>> I appreciate any hint. Thanks.
>
> If you run:
> ods-ksmutil key list --zone sub.domain.tld
>
> you will be told the state of the KSKs in that zone, I'm guessing that they
> are in the READY state, or maybe PUBLISHED.
>
I had the same confusion when I first created a signed zone.
As I realized, you can not export the KSK just after the first
signing, because you need to wait until the key is in the ready
state (you need a prepublication time before it's safe to use it
for validation).
I think it'll be great a more verbose output from the export
command. Something like "you need to wait a certain time, but
if you're just testing use --force".
Regards,
Hugo
More information about the Opendnssec-user
mailing list