[Opendnssec-user] DNSKEY RRset signing with ZSK

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Sep 13 13:47:52 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 12:19 AM, Paul Wouters wrote:
> 
> Hi,
> 
> I'm looking at telling opendnssec to sign the DNSKEY RRset with
> both the ZSK and KSK.
> 
> The documentation at
> https://wiki.opendnssec.org/display/DOCS/signconf.xml tells me to
> add "<ZSK/>" to the Keys section for the 257 flags. This did not
> seem to work for me.

It's the other way around: If you want to sign the DNSKEY RRset with
the ZSK, you should add <KSK/> to the Keys section for the 256 flags.

Unfortunately, this does not work because the signer is smart: if
there exists already a signature with the same algorithm for the
RRset, it will skip the key for signing.

I could change this for OpenDNSSEC 1.4. However only for the DNSKEY
RRset, because this smartness is important for the smooth ZSK
Pre-Publication rollover. But you would still have the problem that
the kasp.xml does not support it yet.

> However, this file is generated based on other xml files. Is there
> a way to specify this via a policy option in kasp.xml?

No, but it should be possible in OpenDNSSEC 2.0, with a <CSK> section.

Best regards,
  Matthijs

> 
> Paul _______________________________________________ 
> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQUeQIAAoJEA8yVCPsQCW5vlIIANpimEzEcKxICKhc9N2zkt2j
WdX9ofnWXxAAphJy2OoeDdEAf0nZdm8H4NiR+Fu5HflndE0uiwuQWvtoA5aQ6QEa
KgG9wFMvzteu7g5LRKw5xHr8LNhKu+pfIYttiUlu2Br6ebaDn1gbm+ghojwrWyVj
Ww2lPAubZqGnUZljwEdNQ74ELY5uTQ8W7Uq168YWIajUJR01jLWmRxWea1rexX2/
jwErVYsdD1mGsE7kcv+GJxZ9tntraGb0RrSQfpIMh8/XwlKE4Na9diHMdNXGWU71
zG+Z6Ev+RSUVPicRHXgvmyBKYMUmb9CGFYuaSwrC8wYmPkXehfpusNNYKLK53gY=
=+KIY
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list