If you have not included the KSK in the zone file the latest versions of zone-singing will ended up with following error;
> dnssec-signzone: fatal: no self signed KSK's found
Not including KSK in the zone file is not the recommended way as if you not include any KSK and not provide the DS set to your DNS root, the trust anchor will not be created. Anyway if you really want to sign your zone with a self signed key (i.e. Only with a ZSK) use the switch '-P' with the zone signing command;
dnssec-signzone -v 1 -t -P -o xxx.abc db.xxx.abc Kxxx.abc+007+12345.key
Here -v is to set debugging level, -t is to print statics at the completion
-P to Disable post sign verification tests
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
> dnssec-signzone: fatal: no self signed KSK's found
Not including KSK in the zone file is not the recommended way as if you not include any KSK and not provide the DS set to your DNS root, the trust anchor will not be created. Anyway if you really want to sign your zone with a self signed key (i.e. Only with a ZSK) use the switch '-P' with the zone signing command;
dnssec-signzone -v 1 -t -P -o xxx.abc db.xxx.abc Kxxx.abc+007+12345.key
Here -v is to set debugging level, -t is to print statics at the completion
-P to Disable post sign verification tests
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
Reference
man page of dnssec-signzone http://linux.die.net/man/8/dnssec-signzone
No comments:
Post a Comment