Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Export the public key either as DNSKEY or DS, depending on what format your parent zone wants it in. See the section Export the public keys, on how to get the key information.

    Tip

    This step can be automated or semi-automated by placing a command in the <DelegationSignerSubmitCommand> tag. This should point to a binary which will accept the required key(s) as DNSKEY RRs on STDIN.

  2. Notify the Enforcer when you can see the DS RR in your parent zone. You usually give the keytag to the Enforcer, but if there are KSKs with the same keytag then use the CKA_ID.

    Code Block
    ods-ksmutil key ds-seen -z example.com -x 22499
    

    or

    Code Block
    ods-ksmutil key ds-seen -z example.com -k 9621ca39306ce050e8dd94c5ab837001
    
    Code Block
    Result:
    Found key with CKA_ID 9621ca39306ce050e8dd94c5ab837001
    Key 9621ca39306ce050e8dd94c5ab837001 made active
    

    And you will see that your KSK is now active:

    Code Block
    bash
    bash
    ods-ksmutil key list
    
    Keys:
    Zone:                           Keytype:      State:    Date of next transition:
    example.com                     ZSK           active    2010-10-15 07:20:53
    example.com                     KSK           active    2010-10-15 07:31:03
    

...