Re: [knot-dns-users] import public dnskey

Hi LIbor, thanks, that worked. Yet I have a problem here. I imported the old key with the "import-pub" method. This key has a different algorithm that the current ones. Is it possible that this will not work? When I try to sign the zone after I imported the old key I get the following error: 2020-11-05T16:14:28+0000 info: [example.] DNSSEC, key, tag 14236, algorithm RSASHA1_NSEC3_SHA1, KSK, public 2020-11-05T16:14:28+0000 info: [example.] DNSSEC, key, tag 38306, algorithm RSASHA256, KSK, public, ready, active+ 2020-11-05T16:14:28+0000 info: [example.] DNSSEC, key, tag 4378, algorithm RSASHA256, public, active 2020-11-05T16:14:28+0000 error: [example.] DNSSEC, keys validation failed (missing active KSK or ZSK) 2020-11-05T16:14:28+0000 error: [example.] DNSSEC, failed to load keys (missing active KSK or ZSK) Thanks for your help! Thomas On 05.11.20 14:34, libor.peltan wrote: > Hi Thomas, > > I guess `keymgr ... delete ...` will do the job. Just check with `list` > first, to check which key is to be deleted. > > To promote the changes to a running server, you will need `knotc > zone-sign your.zone.`. > > BR, > > Libor > > Dne 05.11.20 v 14:32 Thomas napsal(a): >> Hi Libor, >> >> I come back to this issue from beginning of the year. After successfully >> importing the old public keys with "import-pub" command, what is the >> best way to remove them after everything is done? >> >> Thanks a lot, >> Thomas >> >> On 14.01.20 10:34, libor.peltan wrote: >>> Hi all, >>> >>> to make things clear, I would add some notes. >>> >>> First, one needs to distinguish two possibilities: >>> >>> 1) importing the keys from previous software as they are, both their >>> public and private parts, and continue signing with the same keys while >>> switched to new software >>> >>> For this, you probably utilize some of the keymgr commands: import-pem, >>> import-pkcs11, import-bind. >>> >>> 2) switching software together with all key's roll-over -- in this case >>> there is no need for importing the private keys, but for some time, the >>> new public keys must be pre-published in the old software before the >>> migration, and for some time the old public keys must be post-published >>> in the new software >>> >>> For this, you might use the generate command for creating new Knot keys >>> and maybe import-pub command to enable post-publishing of old keys (the >>> Bind format is relatively straight-forward, so it can be "faked" >>> manually). Note that this might be tricky to do correctly. >>> >>> (the method (2) is probably the same as "Changing DNS operators", >>> because they usually don't believe each other so that they would share >>> private keys ;) ) >>> >>> BR, >>> >>> Libor >>> >>> >>> Dne 14.01.20 v 09:59 Daniel Salzman napsal(a): >>>> Hi Thomas, >>>> >>>> It's not clear what is the source DNS software. Is it Bind or Knot DNS? >>>> >>>> The keymgr import is the right way. But you have to import full keys >>>> (private and public parts) for a seamless operation. >>>> >>>> Daniel >>>> >>>> On 1/14/20 12:37 AM, Thomas wrote: >>>>> Hi! >>>>> >>>>> I need to import dnskeys (KSKs & ZSKs) from an existing zone to my own >>>>> zone. This needs to be done due to a name server change without >>>>> breaking >>>>> the chain of trust according to RFC6781 - Section 4.3.5.  "Changing >>>>> DNS >>>>> Operators" >>>>> >>>>> I read in the KNon documentation that manual added dnskeys will be >>>>> removed when the zone gets signed: >>>>> >>>>> >>>>> "Updating the DNSKEY records. The whole DNSKEY set in zone apex is >>>>> replaced by the keys from the KASP database. Note that keys added into >>>>> the zone file manually will be removed. To add an extra DNSKEY record >>>>> into the set, the key must be imported into the KASP database >>>>> (possibly >>>>> deactivated)." >>>>> >>>>> >>>>> So I need to import these keys into the KASP via the keymgr tool, >>>>> right? >>>>> There is the "keymgr import-pub" method that expects a key in BIND >>>>> format. Is that the appropriate method for my task? If so, how do I >>>>> convert a DNSKEY Record into a Bind public key file? >>>>> >>>>> >>>>> Thanks a lot! >>>>> Thomas >>>>>