On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <d...@dotat.at> wrote: > Klaus Darilion <klaus.daril...@nic.at> wrote: > > > > A signed zone shall be moved to another DNS provider. Hence I want to > > add the public KSK of the gaining DNS provider as additional DNSKEY to > > the zone. > > I guess you might already have seen this draft - it discusses long-term > multi-provider setups rather than transitional ones, so it isn't direcly > on point, but it still has some useful ideas. > > https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec
Thanks for mentioning our draft Tony. The provider handoff case can just be considered a transitional state of the multi-provider setup, so the same technique can be applied to Klaus's problem. Klaus's case just needs a further step of detaching the losing provider later by deleting their ZSK. Our scheme imports only the ZSK public key rather than the KSK. I don't think importing the KSK alone works, because the other provider's data is signed by their ZSK. I suggest looking at the steps outlined in Model 2, which is more applicable to the general case of provider transfer. > > So, how is the correct process to add an additional DNSKEY (only the > public key is known). > > I think you are looking for `dnssec-importkey`. > Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I assume you can stitch together the DNSKEY RRset with the imported ZSK manually or with some scripting. Shumon Huque
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users