Discussion:
dnssec-keymgr
CT
2018-10-18 17:05:17 UTC
Permalink
All.
Not much on the subject other than a few posts.
didn't find anything in my last ARM search either..

Thx
CT
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
CT
2018-10-18 20:45:21 UTC
Permalink
I have a working test box based on:
http://bind-users-forum.2342410.n4.nabble.com/Automatic-Key-Management-td4317.html
https://kb.isc.org/docs/aa-00711

It  appears that the  dnssec-keymgr will keep track of the ZSK keys but
I will need to re-sign the zone
on changes or weekly.
Current zsk creation script doesn't always get the timing correct

Current box now uses dnssec-signzone
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K private
example.net
via script to change the serial # and resign the zone .

Is it a better way to use rndc |?

rndc loadkeys example.net||
rndc signing -nsec3param 1 0 10 03F92714 example.net.|
||Thx
CT
Post by CT
All.
Not much on the subject other than a few posts.
didn't find anything in my last ARM search either..
Thx
CT
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Loading...