Copy:
klaus.darilion@nic.at (Klaus Darilion)
Copy:
bind-users@lists.isc.org (
bind-users@lists.isc.org)
On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <
dot@dotat.at> wrote:
Klaus Darilion <klaus.darilion@nic.at> wrote:
A signed zone shall be moved to another DNS provider. Hence I want to
add the public KSK of the gaining DNS provider as additional DNSKEY to
the zone.
I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec
Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.
Our scheme imports only the ZSK public key rather than the KSK. I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2, which is more applicable to the general case of provider transfer.
So, how is the correct process to add an additional DNSKEY (only the
public key is known).
I think you are looking for `dnssec-importkey`.
Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.
Shumon Huque
<div dir="ltr"><div dir="ltr">On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <<a href="mailto:
dot@dotat.at">
dot@dotat.at</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Klaus Darilion <<a href="mailto:
klaus.darilion@nic.at" target="_blank">
klaus.darilion@nic.at</a>> wrote:<br>
><br>
> A signed zone shall be moved to another DNS provider. Hence I want to<br> > add the public KSK of the gaining DNS provider as additional DNSKEY to<br> > the zone.<br>
I guess you might already have seen this draft - it discusses long-term<br> multi-provider setups rather than transitional ones, so it isn't direcly<br>
on point, but it still has some useful ideas.<br>
<a href="
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec" rel="noreferrer" target="_blank">
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec</a></blockquote><div><br></div><div>Thanks for mentioning our draft Tony. The
provider handoff case can just</div><div>be considered a transitional state of the multi-provider setup, so the same</div><div>technique can be applied to Klaus's problem. Klaus's case just needs a</div><div>further step of detaching the losing
provider later by deleting their ZSK.</div><div><br></div><div>Our scheme imports only the ZSK public key rather than the KSK. I don't</div><div>think importing the KSK alone works, because the other provider's data</div><div>is signed by their
ZSK. I suggest looking at the steps outlined in Model 2,</div><div>which is more applicable to the general case of provider transfer.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,
204);padding-left:1ex">
> So, how is the correct process to add an additional DNSKEY (only the public key is known).<br>
I think you are looking for `dnssec-importkey`.<br></blockquote><div><br></div><div>Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration</div><div>for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I</div>
<div>assume you can stitch together the DNSKEY RRset with the imported ZSK</div><div>manually or with some scripting.</div><div><br></div><div>Shumon Huque</div><div><br></div></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)