thr3ads.net - nsd users - [nsd-users] howto handle offline ksk [Mar 2015]

If this information is useful, please help other people find it:
Share via:

A. Schulze

2015-Mar-13 12:25 UTC

[nsd-users] howto handle offline ksk

Hello,

signing a zone using ldns-signzone is easy. At least if ksk and zsk  
are both available.

I would like t change the setup so host2 as no access to ksk.private.
This is how I think things would go:

Host1:
   create a ksk
   create a zsk
   sign this zsk
   transfer ksk.public + zsk.private + zsk.sig to Host2

Host2:
   include {ksk/zsk}.public in zone
   include zsk.sig in zone
   sign zone
   transfer ksk.public (or the DS(ksk.public)) to the delegating domain.

any suggestions if this is correct and howto do that using ldns tools ?
( at least: ... not using bind tools ... )

Thanks,
Andreas

Jan-Piet Mens

2022-Sep-22 08:18 UTC

head link

[nsd-users] howto handle offline ksk

>any suggestions if this is correct and howto do that using ldns tools ?
Only seven years have elapsed since you asked this question, and I hope
you've
not been holding your breath. :-)

I was asked yesterday and decided I should do something [1] about it. For
posterity I mention this here.

	-JP

[1] https://jpmens.net/2022/09/22/dnssec-signing-with-an-offline-ksk/

nsd users - Mar 2015 - howto handle offline ksk

[nsd-users] howto handle offline ksk

[nsd-users] howto handle offline ksk