2 off our registry support now the option to use keygroups.
In this keygroup there is 1 KSK (possible a second third for key rollover), which can be used for multiple domains.
This is very handy because we can now register new domains and make them secure right away.
Every domain/zone has a separate ZSK, and uses the same KSK (which is known at the registry)
Problem, when signing a zone with the specific ZSK and the general KSK we get:
fatal: key K..... not at origin
We use this command
dnssec-signzone \
-k Kgeneral.+008+12345.key \
-o mydomain.be \
myzonefile \
/var/named/sleutels/Kmyzone.+008+40246.key
Any suggestions?
(I contacted the registry more then a week ago, but still no answer there)
In this keygroup there is 1 KSK (possible a second third for key rollover), which can be used for multiple domains.
This is very handy because we can now register new domains and make them secure right away.
Every domain/zone has a separate ZSK, and uses the same KSK (which is known at the registry)
Problem, when signing a zone with the specific ZSK and the general KSK we get:
fatal: key K..... not at origin
We use this command
dnssec-signzone \
-k Kgeneral.+008+12345.key \
-o mydomain.be \
myzonefile \
/var/named/sleutels/Kmyzone.+008+40246.key
Any suggestions?
(I contacted the registry more then a week ago, but still no answer there)