OK, thanks - I thought that might be the case, and your confirmation is therefore much appreciated.

On Tue, Nov 9, 2021 at 1:27 AM libor.peltan <libor.peltan@nic.cz> wrote:

Hi Luveh,

public-only keys can appear in KASP DB after they're imported manually with `keymgr import-pub` command.

They are obviously not used when signing the zone. But they may still appear in the DNSKEY RRSet.

The use-case is, when you need to publish a DNSKEY record of some key that you have just in public form. For example, a migration from one signer to another.

BR,

Libor

Dne 08. 11. 21 v 20:28 Luveh Keraph napsal(a):
I have been trying to get a better understanding concerning the information Knot stores in its KASP.  Knot adds new key information into the KASP by means of the kasp_db_add_key function. One of the arguments to this function is a pointer to a key_params_t structure, one of whose members is called is_pub_only. This would seem to imply that the KASP may contain information about key pairs such that only the public component of the key pair is available to Knot.

Under what set of circumstances would such a key be stored in the KASP? Since they are used for signing RRs, any KSKs and ZSKs in the KASP have to be complete, in that both the private and the public components are available to Knot (I know that the private component itself is not present in the KASP, but that's OK). A KASP key for which the private component is not available could be used for verifying signatures - but that's not something that Knot does, right?

So, under what set circumstances would Knot add a key to the KASP such that the is_pub_only member is set to true?