14 Led
2020
14 Led
'20
15:28
Hi Libor,
our case is exactly what you described in 2)
I was able to import dnskey records from the other zone via "keymgr
import-pub" method.
So, I guess when I sign the zone the "foreign" dnskey record will just
get signed like the others records.
Thanks,
Thomas
Am 14.01.20 um 10:34 schrieb libor.peltan:
Hi all,
to make things clear, I would add some notes.
First, one needs to distinguish two possibilities:
1) importing the keys from previous software as they are, both their
public and private parts, and continue signing with the same keys while
switched to new software
For this, you probably utilize some of the keymgr commands: import-pem,
import-pkcs11, import-bind.
2) switching software together with all key's roll-over -- in this case
there is no need for importing the private keys, but for some time, the
new public keys must be pre-published in the old software before the
migration, and for some time the old public keys must be post-published
in the new software
For this, you might use the generate command for creating new Knot keys
and maybe import-pub command to enable post-publishing of old keys (the
Bind format is relatively straight-forward, so it can be "faked"
manually). Note that this might be tricky to do correctly.
(the method (2) is probably the same as "Changing DNS operators",
because they usually don't believe each other so that they would share
private keys ;) )
BR,
Libor
Dne 14.01.20 v 09:59 Daniel Salzman napsal(a):
> Hi Thomas,
>
> It's not clear what is the source DNS software. Is it Bind or Knot DNS?
>
> The keymgr import is the right way. But you have to import full keys
> (private and public parts) for a seamless operation.
>
> Daniel
>
> On 1/14/20 12:37 AM, Thomas wrote:
>> Hi!
>>
>> I need to import dnskeys (KSKs & ZSKs) from an existing zone to my own
>> zone. This needs to be done due to a name server change without breaking
>> the chain of trust according to RFC6781 - Section 4.3.5. "Changing DNS
>> Operators"
>>
>> I read in the KNon documentation that manual added dnskeys will be
>> removed when the zone gets signed:
>>
>>
>> "Updating the DNSKEY records. The whole DNSKEY set in zone apex is
>> replaced by the keys from the KASP database. Note that keys added into
>> the zone file manually will be removed. To add an extra DNSKEY record
>> into the set, the key must be imported into the KASP database (possibly
>> deactivated)."
>>
>>
>> So I need to import these keys into the KASP via the keymgr tool, right?
>> There is the "keymgr import-pub" method that expects a key in BIND
>> format. Is that the appropriate method for my task? If so, how do I
>> convert a DNSKEY Record into a Bind public key file?
>>
>>
>> Thanks a lot!
>> Thomas
>>