[Opendnssec-user] what key's do i need to submit to Registar.

Siôn Lloyd sion at nominet.org.uk
Tue Aug 26 10:49:55 UTC 2014


On 25/08/14 11:34, Klaus Darilion wrote:
> As I said it depends on which KSK-rollover method you are using.
>
> OpenDNSSEC uses Double-Signature: (see
> https://wiki.opendnssec.org/display/DOCS/Key+Rollovers).
>
> Thus, it should be sufficient to have only the DS of the active KSK (on
> the standby KSKs) in the parent zone.

...and the default for "key export" is to print the DNSKEYs that it
thinks should be in the parent zone. (You can get DS records by adding
the "--ds" flag.)

Sion

> regards
> Klaus
>
>
>
> On 25.08.2014 11:40, Bas van den Dikkenberg wrote:
>> I plan to have 2 standby keys as far as I onderstand I have to publish at least the active key and both the standby keys right ?
>> Wat about the with status retired(not dead)
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
>> Verzonden: maandag 25 augustus 2014 11:08
>> Aan: Bas van den Dikkenberg; Opendnssec-user at lists.opendnssec.org
>> Onderwerp: Re: [Opendnssec-user] what key's do i need to submit to Registar.
>>
>>
>>
>> On 23.08.2014 17:16, Bas van den Dikkenberg wrote:
>>> Hi ,
>>>
>>>  
>>>
>>> A question about the key states, I am the process of scripting the 
>>> updating the KSK to my registerars.
>>>
>>>  
>>>
>>> Does the output of ods-ksmutil key export -zone zome.tld provide me 
>>> the keys I need to publish to the registar/tld
>>>
>>>  
>>>
>>> Do retire and publish also needed to be included ?
>> It depends on your KSK rollover method. See:
>>
>> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-04#section-2.2
>>
>> regards
>> Klaus
>>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list