[Pdns-users] Format of private keys in PowerDNSSEC (gmysql) doesn't correspond to BIND's

Jan-Piet Mens jp at mens.de
Thu Feb 24 17:49:15 UTC 2011

Hello Maik,

> The current version of the format is 1.3, but BIND accepts 1 point anything

Newer versions of `dnssec-keygen' generate a 1.3 version unless option
`-C' is used, in which case a version 1.2 is created:

        Compatibility mode: generates an old-style key, without any
        metadata. By default, dnssec-keygen will include the key's
        creation date in the metadata stored with the private key, and
        other dates may be set there as well (publication date,
        activation date, etc). Keys that include this data may be
        incompatible with older versions of BIND; the -C option
        suppresses them.

> In my opinion, the ldns parser should be adjusted to work the same way.

You're probably right, but seeing ldns came first, their authors may be
reluctant to add some flexibility to it. :-) As an aside, and FWIW,
neither Net::DNS nor ldns (both by NLnetlabs) support the 1.3 format.

This issue isn't terribly important, but I thought I'd point it out
before the release of PowerDNSSEC.


More information about the Pdns-users mailing list