[Opendnssec-user] importing pre-generated keys
Michael Braunoeder
mib at nic.at
Mon Jan 28 13:34:54 UTC 2019
Hi,
I upgraded an old OpenDNSSEC 1.4 installation to OpenDNSSEC 2.0.4
(Debian 9). After migrating the kasp.db only the active keys have been
migrated, the pre-generated and unused ZSKs and KSKs (to fullfil the
policy requirements for at least one year into the future) were ignored.
The keys are still in the (Hardware-)HSM.
If I add them with "ods-control enforcer key import ... --state
generated" the keys will be published to the zone immediately (fe. if I
added 4 zsks I ended up with 1 active ZSK and 4 ZSK with state publish).
How can I add the keys and tell OpenDNSSEC to use them only if a key
rollover according to the policy is processed?
Thanks in advance and Best,
Michael
More information about the Opendnssec-user
mailing list