[Opendnssec-user] two small requests for ods-ksmutil
Paul Wouters
paul at nohats.ca
Mon Mar 12 19:37:54 UTC 2012
On Mon, 12 Mar 2012, Miek Gieben wrote:
>> active 2012-03-12 11:05:08 (retire) 1024 8 c842110e1409d9f6289c5ff5fe793b61 AEP 4450
>> publish 2012-03-12 10:05:10 (ready) 1024 8 382ffeea9db6a814d0a573717232a707 AEP 37491
>>
>> 1) Leading zeroes
>>
>> When trying to sign with both bind and opendnssec, some conversions need
>> to happen. We need to grab the current KSK and ZSK from where, so we can
>> run dnssec-keyfromlabel. Since we are dealing with filenames generated
>> based on keytag and algorithm, there is this annoying issue with leading
>> zeros for both the key tag and the algorithm. Could opendnssec print
>> leading in this screen?
>
> Huh? What exactly is the problem here? I just use the CKA_ID in
> dnssec-keyfromlabel and that works very nicely.
I don't parse the output of dnssec-keyfromlabel, as I "know" what the
Kfile name will be, based on keytag and algo. That also ensures that I
am using the algo and key options I think I am, and that it will fail
to include a wrong key if some bit flips and the keytag would change.
(such as changing an nsec3 optin flag :)
(other people might prefer to read a load of xml from /etc/opendnssec/
but that's exactly why my script is 20 lines and ods4bind is several
hunderd lines :)
Paul
More information about the Opendnssec-user
mailing list