[Opendnssec-user] DNSKEY RRset signing with ZSK
Sara Dickinson
sara at sinodun.com
Thu Sep 13 14:10:34 UTC 2012
On 12 Sep 2012, at 23:19, Paul Wouters wrote:
>
> Hi,
>
> I'm looking at telling opendnssec to sign the DNSKEY RRset with both the
> ZSK and KSK.
>
> The documentation at https://wiki.opendnssec.org/display/DOCS/signconf.xml
> tells me to add "<ZSK/>" to the Keys section for the 257 flags. This did
> not seem to work for me.
> However, this file is generated based on other xml files.
Yeah - the enforcer will overwrite any user changes to these files so this isn't the way to go (we document them just to help with debugging)...
> Is there a way
> to specify this via a policy option in kasp.xml?
My understanding is that the current (1.3 and 1.4) enforcer does not support it in the policy (even if the signer could support it in principle in the signconf.xml)
but that should change in 2.0.
Sara.
>
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list