How to prepublish additional DNSKEY

Shumon Huque shuque at
Wed Jul 8 15:47:34 UTC 2020

On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <dot at> wrote:

> Klaus Darilion <klaus.darilion at> wrote:
> >
> > A signed zone shall be moved to another DNS provider. Hence I want to
> > add the public KSK of the gaining DNS provider as additional DNSKEY to
> > the zone.
> I guess you might already have seen this draft - it discusses long-term
> multi-provider setups rather than transitional ones, so it isn't direcly
> on point, but it still has some useful ideas.

Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same
technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.

Our scheme imports only the ZSK public key rather than the KSK.  I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2,
which is more applicable to the general case of provider transfer.

> > So, how is the correct process to add an additional DNSKEY (only the
> public key is known).
> I think you are looking for `dnssec-importkey`.

Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I
assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.

Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list