• How to prepublish additional DNSKEY

    From Klaus Darilion@klaus.darilion@nic.at to bind-users@lists.isc.org on Wed Jul 8 10:52:42 2020
    From Newsgroup: comp.protocols.dns.bind

    Hello all!
    A signed zone shall be moved to another DNS provider. Hence I want to add the public KSK of the gaining DNS provider as additional DNSKEY to the zone. My setup ist:
    Bind1 as hidden primary --> Bind2 as bump-in-the-wire signer -> public facing secondaries
    I tried to add the DNSKEY to the zone file of Bind1. Bind1 accepts the DNSKEY. But Bind2 only shows the DNSKEYs from the local key-directory, the original DNSKEY is removed/ignored.
    I also tried to add the additonal DNSKEY into the key-directory of Bind2 (no .private file, only .key file). It did not worked too.
    So, how is the correct process to add an additional DNSKEY (only the public key is known).
    Thanks
    Klaus
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Tony Finch@dot@dotat.at to Klaus Darilion on Wed Jul 8 16:32:29 2020
    From Newsgroup: comp.protocols.dns.bind

    Klaus Darilion <klaus.darilion@nic.at> wrote:

    A signed zone shall be moved to another DNS provider. Hence I want to
    add the public KSK of the gaining DNS provider as additional DNSKEY to
    the zone.

    I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than transitional ones, so it isn't direcly
    on point, but it still has some useful ideas.

    https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec

    So, how is the correct process to add an additional DNSKEY (only the public key is known).

    I think you are looking for `dnssec-importkey`.

    Tony.
    --
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Viking, North Utsire, South Utsire, Northeast Forties: Northwesterly 4 to 6, becoming variable 2 to 4 except in South Utsire. Slight or moderate. Showers. Good.
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Shumon Huque@shuque@gmail.com to Tony Finch on Wed Jul 8 11:47:34 2020
    From Newsgroup: comp.protocols.dns.bind

    --00000000000076eba005a9f0076a
    Content-Type: text/plain; charset="UTF-8"

    On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <dot@dotat.at> wrote:

    Klaus Darilion <klaus.darilion@nic.at> wrote:

    A signed zone shall be moved to another DNS provider. Hence I want to
    add the public KSK of the gaining DNS provider as additional DNSKEY to
    the zone.

    I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than transitional ones, so it isn't direcly
    on point, but it still has some useful ideas.

    https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec


    Thanks for mentioning our draft Tony. The provider handoff case can just
    be considered a transitional state of the multi-provider setup, so the same technique can be applied to Klaus's problem. Klaus's case just needs a
    further step of detaching the losing provider later by deleting their ZSK.

    Our scheme imports only the ZSK public key rather than the KSK. I don't
    think importing the KSK alone works, because the other provider's data
    is signed by their ZSK. I suggest looking at the steps outlined in Model 2, which is more applicable to the general case of provider transfer.


    So, how is the correct process to add an additional DNSKEY (only the
    public key is known).

    I think you are looking for `dnssec-importkey`.


    Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
    for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I assume you can stitch together the DNSKEY RRset with the imported ZSK
    manually or with some scripting.

    Shumon Huque

    --00000000000076eba005a9f0076a
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr">On Wed, Jul 8, 2020 at 11:33 AM Tony Finc=
    h &lt;<a href=3D"mailto:dot@dotat.at">dot@dotat.at</a>&gt; wrote:<br></div>= <div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex= ">Klaus Darilion &lt;<a href=3D"mailto:klaus.darilion@nic.at" target=3D"_bl= ank">klaus.darilion@nic.at</a>&gt; wrote:<br>
    &gt;<br>
    &gt; A signed zone shall be moved to another DNS provider. Hence I want to<=

    &gt; add the public KSK of the gaining DNS provider as additional DNSKEY to=

    &gt; the zone.<br>

    I guess you might already have seen this draft - it discusses long-term<br> multi-provider setups rather than transitional ones, so it isn&#39;t direcl= y<br>
    on point, but it still has some useful ideas.<br>

    <a href=3D"https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnss= ec" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/draft-= ietf-dnsop-multi-provider-dnssec</a></blockquote><div><br></div><div>Thanks=
    for mentioning our draft Tony. The provider handoff case can just</div><di= v>be considered a transitional state of the multi-provider setup, so the sa= me</div><div>technique can be applied to Klaus&#39;s problem. Klaus&#39;s c= ase just needs a</div><div>further step of detaching the losing provider la= ter by deleting their ZSK.</div><div><br></div><div>Our scheme imports only=
    the ZSK public key rather than the KSK.=C2=A0 I don&#39;t</div><div>think = importing the KSK alone works, because the other provider&#39;s data</div><= div>is signed by their ZSK. I suggest looking at the steps outlined in Mode=
    l 2,</div><div>which is more applicable to the general case of provider tra= nsfer.</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=


    &gt; So, how is the correct process to add an additional DNSKEY (only the p= ublic key is known).<br>

    I think you are looking for `dnssec-importkey`.<br></blockquote><div><br></= div><div>Yes, dnssec-importkey works fine with BIND&#39;s auto-dnssec confi= guration</div><div>for this task. If you&#39;re signing outside BIND (e.g. = with dnssec-signzone), I</div><div>assume you can stitch together the DNSKE=
    Y RRset with the imported ZSK</div><div>manually or with some scripting.</d= iv><div><br></div><div>Shumon Huque</div><div><br></div></div></div>

    --00000000000076eba005a9f0076a--
    --- Synchronet 3.18a-Linux NewsLink 1.113