Copy: bind-users@lists.isc.org (bind-users@lists.isc.org)

So, how is the correct process to add an additional DNSKEY (only the public

key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

I am using Bind - 9.12.2-P2. Is this supported by Bind 9.12? (upgrade/downgrade is currently not possible)

Thanks
Klaus

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: bind-users@lists.isc.org (bind-users@lists.isc.org)

On 09.07.20 11:51, Klaus Darilion wrote:

So, how is the correct process to add an additional DNSKEY (only the public >> key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

Daniel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: klaus.darilion@nic.at (Klaus Darilion)
Copy: bind-users@lists.isc.org (bind-users@lists.isc.org)

On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <
daniel.stirnimann@switch.ch> wrote:

On 09.07.20 11:51, Klaus Darilion wrote:

So, how is the correct process to add an additional DNSKEY (only the public

key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those

files in the same directory as the other keys, gave read permissions to
bind and executed:

rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

You can also set the timing metadata with dnssec-importkey itself (so that
you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:

dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

Shumon.

<div dir="ltr"><div dir="ltr">On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann &lt;<a href="mailto:daniel.stirnimann@switch.ch">daniel.stirnimann@switch.ch</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 09.07.20 11:51, Klaus Darilion wrote:<br>
&gt;&gt;&gt; So, how is the correct process to add an additional DNSKEY (only the public<br>
&gt;&gt; key is known).<br>
&gt;&gt;<br>
&gt;&gt; I think you are looking for `dnssec-importkey`.<br>
&gt; <br>
&gt; Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:<br>
&gt; rndc loadkeys myzone<br>
&gt; rndc sign myzone<br>
&gt; <br>
&gt; But the additional key is not added to the reponse of DNSKEY queries.<br>

Does the key have correct timing metadata in the key file?<br>

Have a look at &quot;dnssec-settime&quot;.<br></blockquote><div><br></div><div>You can also set the timing metadata with dnssec-importkey itself (so that you don&#39;t have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:</div><

<br></div><div>    dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key<br></div><div><br></div><div>Shumon.</div><div><br></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)