[Opendnssec-user] importing pre-generated keys

Michael Braunoeder mib at nic.at
Mon Jan 28 13:34:54 UTC 2019


I upgraded an old OpenDNSSEC 1.4 installation to OpenDNSSEC 2.0.4 
(Debian 9). After migrating the kasp.db only the active keys have been 
migrated, the pre-generated and unused ZSKs and KSKs (to fullfil the 
policy requirements for at least one year into the future) were ignored. 
The keys are still in the (Hardware-)HSM.

If I add them with "ods-control enforcer key import ... --state 
generated" the keys will be published to the zone immediately (fe. if I 
added 4 zsks I ended up with 1 active ZSK and 4 ZSK with state publish).

How can I add the keys and tell OpenDNSSEC to use them only if a key 
rollover according to the policy is processed?

Thanks in advance and Best,

More information about the Opendnssec-user mailing list