How to prepublish additional DNSKEY

Shumon Huque shuque at gmail.com
Wed Jul 8 15:47:34 UTC 2020


On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <dot at dotat.at> wrote:

> Klaus Darilion <klaus.darilion at nic.at> wrote:
> >
> > A signed zone shall be moved to another DNS provider. Hence I want to
> > add the public KSK of the gaining DNS provider as additional DNSKEY to
> > the zone.
>
> I guess you might already have seen this draft - it discusses long-term
> multi-provider setups rather than transitional ones, so it isn't direcly
> on point, but it still has some useful ideas.
>
> https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec


Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same
technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.

Our scheme imports only the ZSK public key rather than the KSK.  I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2,
which is more applicable to the general case of provider transfer.


> > So, how is the correct process to add an additional DNSKEY (only the
> public key is known).
>
> I think you are looking for `dnssec-importkey`.
>

Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I
assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.

Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200708/26890133/attachment.htm>


More information about the bind-users mailing list