[Opendnssec-user] DelegationSignerSubmitCommand key identification
Daniel Salzman
daniel.salzman at nic.cz
Tue May 15 07:11:53 UTC 2012
Hi,
The main problem is, that the input to DelegationSignerSubmitCommand
doesn't contain any key identifier (OpenDNSSEC 1.3.8).
Example of input:
aaa.cz. 3600 IN DNSKEY 257 3 8
AwEAAcnuct87tqDPCXVLKeFYY6/g796Ung75/Gqct7AJuxqPfmex3zGo4Izuz44Sv/PoNgCGdXXQcomzHabhFCd4ZkXxeiH5AxahEr+CympCvKfR0n+jn93fteazl+/jjCjsnaokOrADg7CHc9Puy2FVc+DsQejGXI5Vgak8sL2sILpjtr9HjRKfX+BvmxOFyAyPOpOw/hARcoc00ZMqXQIQoyAwIaaRN//EUhGhokEpziDWFuNk2bcNTJMTyS0NnmdPnvqWo/qQxcIEgwnsyMUxVTgJyUQIqNNVdxkk/N8gjNsFWUBRuR7XhH7laV5/N+E4lWUxBw/JAIXKXCAWkW7LmkU=
So the only possibility is to compute key_id.
Dan
On 05/14/2012 11:25 PM, Sebastian Castro wrote:
> On 12/05/12 00:27, Daniel Salzman wrote:
>> Hi,
> Hi,
>
>> I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use
>> DelegationSignerSubmitCommand option
>> for starting my external program, I am missing any information about key
>> identifier relating to DNSKEY record,
>> that should be subsequently used for key ds-seen. Although there is
>> possibility to compute key_id manually,
>> this is not ideal approach due to ambiguity. It would be useful to add
>> CKA_ID in comment to DelegationSignerSubmitCommand
>> parameter (if required in configuration).
> When phased to the same issue, we provided a change to OpenDNSSEC to
> include the CKA_ID into the ods-ksmutil key export output.
>
> Our test system produces the following
>
> ods-ksmutil key export --zone nz
> SQLite database set to: /var/opendnssec/kasp.db
>
> ;active KSK DNSKEY record:
> ; CKA_ID: a6a5695ca0ebaaa741f2b552889fd502
> nz. 3600 IN DNSKEY 257 3 8
> AwEAAaT0q51/JlyU37rJl/12ji5Qx/64oeftxIHpOMDVbCwOs1VWHeuGcZhwA8SBd9iCYGNMzcZptjMUd0C2DaJsbfhFFmIyUdq39s1qKYdo41HajX7NQIxb89C+SQIlsuVs0mNrPHjiczm2KFkM7oY8D3nORJCEDxglc4+NxZuaDgVlTqFXVqzgg/y5z3LLySou4XA1g5mpGaf5M+DUwWa/zs9aWF5M88y9JzpacuXcCzY0H7bvsOn/0/qlTlrecpMUt3sSpLHcE4idFjn8xK3BCEVDWlXXQDIweU07d6Sg6GhYtbbNp8l3Y7dw9XjLGOF2Xts9VRzBwBcELwb0R4AkiO0=
> ;{id = 21091 (ksk), size = 2048b}
>
> If I recall correctly, the DelegationSignerSubmitCommand receives that
> output, that would allow you to match the right DNSKEY with the DS record.
>
> Cheers,
>
>> Thanks
>> Dan
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list