[Opendnssec-user] DelegationSignerSubmitCommand key identification

Sebastian Castro sebastian at nzrs.net.nz
Mon May 14 21:25:44 UTC 2012

On 12/05/12 00:27, Daniel Salzman wrote:
> Hi,


> I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use
> DelegationSignerSubmitCommand option
> for starting my external program, I am missing any information about key
> identifier relating to DNSKEY record,
> that should be subsequently used for key ds-seen. Although there is
> possibility to compute key_id manually,
> this is not ideal approach due to ambiguity. It would be useful to add
> CKA_ID in comment to DelegationSignerSubmitCommand
> parameter (if required in configuration).

When phased to the same issue, we provided a change to OpenDNSSEC to
include the CKA_ID into the ods-ksmutil key export output.

Our test system produces the following

ods-ksmutil key export --zone nz
SQLite database set to: /var/opendnssec/kasp.db

;active KSK DNSKEY record:
; CKA_ID: a6a5695ca0ebaaa741f2b552889fd502
nz.	3600	IN	DNSKEY	257 3 8
;{id = 21091 (ksk), size = 2048b}

If I recall correctly, the DelegationSignerSubmitCommand receives that
output, that would allow you to match the right DNSKEY with the DS record.


> Thanks
> Dan
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list