[Opendnssec-user] Export a specific key, for example by CKA_ID

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Nov 12 16:03:26 UTC 2019

On 10/29/19 3:49 PM, Casper Gielen wrote:
> I want to get a specific key from OpenDNSSEC but this seems impossible
> with version 2.1.3 (from the Debian repositories).

Not sure what you mean with "get a key"
List key active, export secret/public key, or get the information usable
for DS records?

> ods-enforcer key export used to list the keytag but it no longer does.
> Now it has become impossible to identify the keys other than calculating
> the keytag yourself.

There are no changes in this respect in the 2.1 branch.  I won't do
structural changes to maintenance branches.  Computing keytags should
never be necessary, that would indeed need fixing.

The command ods-enforcer key export is primary used to export either
DNSKEY records or DS records suitable to submit to the parent zone.
In which case you'd almost always want to submit everything.

The command "ods-enforcer key list" will list keys for other purposes.
With the additional "-v" flag it will also output the keytags for each key.

I would agree that "key export" and "key list" are confusing in their
usage, but overhoaling the CLI isn't worked on yet and is a very
structural change.

> PS. Is OpenDNSSEC doing alright? Things have been very quiet on the
> mailing lists and there seems to be hardly any development going on.

Just a release out the door, and commits in both main tree as on user


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20191112/10ad0c0b/attachment.bin>

More information about the Opendnssec-user mailing list