Re: [knot-dns-users] import public dnskey

Hi Libor, I come back to this issue from beginning of the year. After successfully importing the old public keys with "import-pub" command, what is the best way to remove them after everything is done? Thanks a lot, Thomas On 14.01.20 10:34, libor.peltan wrote: > Hi all, > > to make things clear, I would add some notes. > > First, one needs to distinguish two possibilities: > > 1) importing the keys from previous software as they are, both their > public and private parts, and continue signing with the same keys while > switched to new software > > For this, you probably utilize some of the keymgr commands: import-pem, > import-pkcs11, import-bind. > > 2) switching software together with all key's roll-over -- in this case > there is no need for importing the private keys, but for some time, the > new public keys must be pre-published in the old software before the > migration, and for some time the old public keys must be post-published > in the new software > > For this, you might use the generate command for creating new Knot keys > and maybe import-pub command to enable post-publishing of old keys (the > Bind format is relatively straight-forward, so it can be "faked" > manually). Note that this might be tricky to do correctly. > > (the method (2) is probably the same as "Changing DNS operators", > because they usually don't believe each other so that they would share > private keys ;) ) > > BR, > > Libor > > > Dne 14.01.20 v 09:59 Daniel Salzman napsal(a): >> Hi Thomas, >> >> It's not clear what is the source DNS software. Is it Bind or Knot DNS? >> >> The keymgr import is the right way. But you have to import full keys >> (private and public parts) for a seamless operation. >> >> Daniel >> >> On 1/14/20 12:37 AM, Thomas wrote: >>> Hi! >>> >>> I need to import dnskeys (KSKs & ZSKs) from an existing zone to my own >>> zone. This needs to be done due to a name server change without breaking >>> the chain of trust according to RFC6781 - Section 4.3.5.  "Changing DNS >>> Operators" >>> >>> I read in the KNon documentation that manual added dnskeys will be >>> removed when the zone gets signed: >>> >>> >>> "Updating the DNSKEY records. The whole DNSKEY set in zone apex is >>> replaced by the keys from the KASP database. Note that keys added into >>> the zone file manually will be removed. To add an extra DNSKEY record >>> into the set, the key must be imported into the KASP database (possibly >>> deactivated)." >>> >>> >>> So I need to import these keys into the KASP via the keymgr tool, right? >>> There is the "keymgr import-pub" method that expects a key in BIND >>> format. Is that the appropriate method for my task? If so, how do I >>> convert a DNSKEY Record into a Bind public key file? >>> >>> >>> Thanks a lot! >>> Thomas >>>