Use key tag ranges when generating multisigner keys
(cherry picked from commit 266530d473)
This commit is contained in:
@@ -37,8 +37,8 @@ dnssec-policy "multisigner-model2" {
|
||||
inline-signing no;
|
||||
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@ tag-range 32768 65535;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@ tag-range 32768 65535;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -130,8 +130,8 @@ $KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
|
||||
zone="multisigner-model2.kasp"
|
||||
echo_i "setting up zone: $zone"
|
||||
# Import the ZSK sets of the other providers into their DNSKEY RRset.
|
||||
ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1)
|
||||
ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2)
|
||||
ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 -M 0:32767 $zone 2>keygen.out.$zone.1)
|
||||
ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 -M 0:32767 $zone 2>keygen.out.$zone.2)
|
||||
# ZSK1 will be added to the unsigned zonefile.
|
||||
cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db"
|
||||
cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1"
|
||||
|
||||
Reference in New Issue
Block a user