From Newsgroup: comp.protocols.dns.bind
--00000000000076eba005a9f0076a
Content-Type: text/plain; charset="UTF-8"
On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <
dot@dotat.at> wrote:
Klaus Darilion <klaus.darilion@nic.at> wrote:
A signed zone shall be moved to another DNS provider. Hence I want to
add the public KSK of the gaining DNS provider as additional DNSKEY to
the zone.
I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec
Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.
Our scheme imports only the ZSK public key rather than the KSK. I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2, which is more applicable to the general case of provider transfer.
So, how is the correct process to add an additional DNSKEY (only the
public key is known).
I think you are looking for `dnssec-importkey`.
Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.
Shumon Huque
--00000000000076eba005a9f0076a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">On Wed, Jul 8, 2020 at 11:33 AM Tony Finc=
h <<a href=3D"mailto:
dot@dotat.at">
dot@dotat.at</a>> wrote:<br></div>= <div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex= ">Klaus Darilion <<a href=3D"mailto:
klaus.darilion@nic.at" target=3D"_bl= ank">
klaus.darilion@nic.at</a>> wrote:<br>
><br>
> A signed zone shall be moved to another DNS provider. Hence I want to<=
> add the public KSK of the gaining DNS provider as additional DNSKEY to=
> the zone.<br>
I guess you might already have seen this draft - it discusses long-term<br> multi-provider setups rather than transitional ones, so it isn't direcl= y<br>
on point, but it still has some useful ideas.<br>
<a href=3D"
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnss= ec" rel=3D"noreferrer" target=3D"_blank">
https://tools.ietf.org/html/draft-= ietf-dnsop-multi-provider-dnssec</a></blockquote><div><br></div><div>Thanks=
for mentioning our draft Tony. The provider handoff case can just</div><di= v>be considered a transitional state of the multi-provider setup, so the sa= me</div><div>technique can be applied to Klaus's problem. Klaus's c= ase just needs a</div><div>further step of detaching the losing provider la= ter by deleting their ZSK.</div><div><br></div><div>Our scheme imports only=
the ZSK public key rather than the KSK.=C2=A0 I don't</div><div>think = importing the KSK alone works, because the other provider's data</div><= div>is signed by their ZSK. I suggest looking at the steps outlined in Mode=
l 2,</div><div>which is more applicable to the general case of provider tra= nsfer.</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
> So, how is the correct process to add an additional DNSKEY (only the p= ublic key is known).<br>
I think you are looking for `dnssec-importkey`.<br></blockquote><div><br></= div><div>Yes, dnssec-importkey works fine with BIND's auto-dnssec confi= guration</div><div>for this task. If you're signing outside BIND (e.g. = with dnssec-signzone), I</div><div>assume you can stitch together the DNSKE=
Y RRset with the imported ZSK</div><div>manually or with some scripting.</d= iv><div><br></div><div>Shumon Huque</div><div><br></div></div></div>
--00000000000076eba005a9f0076a--
--- Synchronet 3.18a-Linux NewsLink 1.113