To:
daniel.stirnimann@switch.ch (Daniel Stirnimann)
Copy:
bind-users@lists.isc.org (
bind-users@lists.isc.org)
This is a multi part MIME message.
Thanks - now it works.
Klaus
Von: Shumon Huque <
shuque@gmail.com>
Gesendet: Donnerstag, 9. Juli 2020 13:44
An: Daniel Stirnimann <
daniel.stirnimann@switch.ch>
Cc: Klaus Darilion <
klaus.darilion@nic.at>;
bind-users@lists.isc.org
Betreff: Re: AW: How to prepublish additional DNSKEY
On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <
daniel.stirnimann@switch.ch<mailto:
daniel.stirnimann@switch.ch>> wrote:
On 09.07.20 11:51, Klaus Darilion wrote:
So, how is the correct process to add an additional DNSKEY (only the public >> key is known).
I think you are looking for `dnssec-importkey`.
Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone
But the additional key is not added to the reponse of DNSKEY queries.
Does the key have correct timing metadata in the key file?
Have a look at "dnssec-settime".
You can also set the timing metadata with dnssec-importkey itself (so that you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:
dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key
Shumon.
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="
http://schemas.microsoft.com/office/2004/12/omml" xmlns="
http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE-AT" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Thanks - now it works.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Klaus<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Von:</span></b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Shumon Huque <
shuque@gmail.com>
<b>Gesendet:</b> Donnerstag, 9. Juli 2020 13:44<br>
<b>An:</b> Daniel Stirnimann <
daniel.stirnimann@switch.ch><br>
<b>Cc:</b> Klaus Darilion <
klaus.darilion@nic.at>;
bind-users@lists.isc.org<br>
<b>Betreff:</b> Re: AW: How to prepublish additional DNSKEY<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <<a href="mailto:
daniel.stirnimann@switch.ch">
daniel.stirnimann@switch.ch</a>> wrote:<o:p></o:p></p>
</div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal"><br>
On 09.07.20 11:51, Klaus Darilion wrote:<br>
>>> So, how is the correct process to add an additional DNSKEY (only the public<br>
>> key is known).<br>
>><br>
>> I think you are looking for `dnssec-importkey`.<br>
> <br>
> Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:<br>
> rndc loadkeys myzone<br>
> rndc sign myzone<br>
> <br>
> But the additional key is not added to the reponse of DNSKEY queries.<br>
Does the key have correct timing metadata in the key file?<br>
Have a look at "dnssec-settime".<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You can also set the timing metadata with dnssec-importkey itself (so that you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Shumon.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)