[Pdns-users] Trouble rolling a ZSK

Mike Cardwell pdns-users at lists.grepular.com
Tue Oct 15 07:23:42 UTC 2019


On Mon, 2019-10-14 at 17:56 +0200, Pieter Lexis wrote:

> I spotted something that *might* be root of your issue (and perhaps a
> small bug on our end).

I think you've spotted the problem. I was running:

$ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1

Which was creating a new ZSK with an algorithm of 5, when the old KSK
and ZSK were both algorithm 7 in the db.

When I append "-nsec3-sha1" to the algorithm arg, it started working
fine:

$ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1-nsec3-
sha1

Not sure if this was my mistake, or a bug in the program, or a
combination, but FWIW, the reason I used "rsasha1" as my argument
instead of "rsasha1-nsec3-sha1" was because I felt like that was what
the help output was telling me to do:

root at ned:~# pdnsutil add-zone-key help
Oct 15 08:17:55 Reading random entropy from '/dev/urandom'
Syntax: pdnsutil add-zone-key ZONE zsk|ksk [BITS] [active|inactive]
[rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]
root at ned:~# 

Thanks for your help,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191015/1a6ccd3c/attachment.sig>


More information about the Pdns-users mailing list