How to prepublish additional DNSKEY
shuque at gmail.com
Wed Jul 8 15:47:34 UTC 2020
On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <dot at dotat.at> wrote:
> Klaus Darilion <klaus.darilion at nic.at> wrote:
> > A signed zone shall be moved to another DNS provider. Hence I want to
> > add the public KSK of the gaining DNS provider as additional DNSKEY to
> > the zone.
> I guess you might already have seen this draft - it discusses long-term
> multi-provider setups rather than transitional ones, so it isn't direcly
> on point, but it still has some useful ideas.
Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same
technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.
Our scheme imports only the ZSK public key rather than the KSK. I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2,
which is more applicable to the general case of provider transfer.
> > So, how is the correct process to add an additional DNSKEY (only the
> public key is known).
> I think you are looking for `dnssec-importkey`.
Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I
assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users