26 Říj
2018
26 Říj
'18
18:49
Hi Maxi,
when it comes to updating the parent zone's DS during the rollover, Knot
automatically (unless overriden by config) publishes CDS and CDNSKEY
records in your zone. You can query your server and use them directly,
the parent's DS shall be equal to your CDS.
Libor
Dne 26.10.18 v 18:24 Maximilian Engelhardt napsal(a):
Hi,
I'm having a question about DNSSEC KSK rollover and obtaining the relevant
information for submission to the parent zone of the new key.
I'm currently using these steps:
- running "keymgr example.org list"
- manually identifying the new key using the parameters "ksk=yes" and having a
look at the created, publish, ready and active parameters. The new key always
seems to be the one with active=0 and I also check the dates of the other
parameters for plausibility. I then note the tag of the identified key.
- using "keymgr example.org dnskey <keytag>" or "keymgr example.org
ds
<keytag>" to get the corresponding information for submission to the parent
zone.
Is there an easier way of achieving this, especially without the manual key
identification step? Ideally would be a single command I can run and specify
the zone of interest and it will output the dnskey and/or ds information of
the new key.
Thanks,
Maxi