DNSSEC - First Signature
Posted
by
Arancha
on Server Fault
See other posts from Server Fault
or by Arancha
Published on 2010-11-29T14:04:31Z
Indexed on
2011/02/19
23:26 UTC
Read the original article
Hit count: 263
I'm testing DNSSEC with Bind 9.7.2-P2. I have a question regarding the first signature created over a zone that already exists. I'm using dynamic DNS.
I create the first two keys: one KSK and one ZSK. According to https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/, the first ZSK needs to be published for an interval equal to Ipub, before it can be active.
I create the ZSK with a Publication date previous to its Activation date. I restart the service and I can see that the key is published at Publication date, but it's no active later, when Activation date arrives.
This is the configuration of the zone dnssec.es at the named.conf file:
zone "dnssec.es" {
auto-dnssec maintain;
update-policy local;
sig-validity-interval 1;
key-directory "dnssec/keys_dnssec";
type master;
file "dnssec/db.dnssec.es";
};
Any clue??
Regards
© Server Fault or respective owner