DNSSEC - First Signature

Posted by Arancha on Server Fault See other posts from Server Fault or by Arancha
Published on 2010-11-29T14:04:31Z Indexed on 2011/02/19 23:26 UTC
Read the original article Hit count: 263

Filed under:
|

I'm testing DNSSEC with Bind 9.7.2-P2. I have a question regarding the first signature created over a zone that already exists. I'm using dynamic DNS.

I create the first two keys: one KSK and one ZSK. According to https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/, the first ZSK needs to be published for an interval equal to Ipub, before it can be active.

I create the ZSK with a Publication date previous to its Activation date. I restart the service and I can see that the key is published at Publication date, but it's no active later, when Activation date arrives.

This is the configuration of the zone dnssec.es at the named.conf file:

zone "dnssec.es" {
  auto-dnssec maintain;
  update-policy local;
  sig-validity-interval 1;
  key-directory "dnssec/keys_dnssec";
  type master;
  file "dnssec/db.dnssec.es";
};

Any clue??

Regards

© Server Fault or respective owner

Related posts about keys

Related posts about dnssec