Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Thursday, August 11, 2011

DNSSEC without KSK

If you have not included the KSK in the zone file the latest versions of zone-singing will ended up with following error;


> dnssec-signzone: fatal: no self signed KSK's found


Not including KSK in the zone file is not the recommended way as if you not include any KSK and not provide the DS set to your DNS root, the trust anchor will not be created. Anyway if you really want to sign your zone with a self signed key (i.e. Only with a ZSK) use the switch '-P' with the zone signing command;

dnssec-signzone  -v 1 -t -P -o  xxx.abc db.xxx.abc Kxxx.abc+007+12345.key

Here -v is to set debugging level, -t is to print statics at the completion
-P to Disable post sign verification tests
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.


Reference
man page of dnssec-signzone http://linux.die.net/man/8/dnssec-signzone

No comments:

Post a Comment