[Opendnssec-user] DS RR of KSK

Simon Mittelberger mittelberger at united-domains.de
Tue Oct 19 14:56:22 UTC 2010

Am Dienstag, den 19.10.2010, 11:40 -0300 schrieb Hugo Salgado:
> On 10/19/2010 05:42 AM, Sion Lloyd wrote:
> >  
> >> I appreciate any hint. Thanks.
> > 
> > If you run:
> > ods-ksmutil key list --zone sub.domain.tld
> > 
> > you will be told the state of the KSKs in that zone, I'm guessing that they 
> > are in the READY state, or maybe PUBLISHED.
> > 
> I had the same confusion when I first created a signed zone.
> As I realized, you can not export the KSK just after the first
> signing, because you need to wait until the key is in the ready
> state (you need a prepublication time before it's safe to use it
> for validation).
> I think it'll be great a more verbose output from the export
> command. Something like "you need to wait a certain time, but
> if you're just testing use --force".

Indeed, that was confusing a little, altough it is necessary.
But when you sign a zone for the first time on your test system you just
want to get the records out quickly to upload them to your test parent
zone, in order to test the whole dnssec validation.

As Sion mentioned you can get the KSK DS and DNSKEY records out before
the publish time is over if you specify the actual state of the KSK with
the --keystate <STATE> tag.
ods-ksmutil key export --zone sub.domain.tld --keytype KSK --keystate
publish --ds

Thanks, for the help!

All the best,

More information about the Opendnssec-user mailing list