it is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.
(cherry picked from commit
04a5529c2da2187dde4cfce656fee023d55b1b47)
fatal("can't convert DNSKEY");
}
+ if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+ return;
+ }
+
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
return;
}
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the ``-C`` option.
+By default, only KSKs are converted (keys with flags = 257). The
+``-A`` option includes ZSKs (flags = 256). Revoked keys are never
+included.
+
The input keys can be specified in a number of ways:
By default, ``dnssec-dsfromkey`` reads a key file named in the format
The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
.sp
+By default, only KSKs are converted (keys with flags = 257). The
+\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never
+included.
+.sp
The input keys can be specified in a number of ways:
.sp
By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
projects / thirdparty / bind9.git / commitdiff
