9 Lis
2021
9 Lis
'21
9:27
Hi Luveh,
public-only keys can appear in KASP DB after they're imported manually
with `keymgr import-pub` command.
They are obviously not used when signing the zone. But they may still
appear in the DNSKEY RRSet.
The use-case is, when you need to publish a DNSKEY record of some key
that you have just in public form. For example, a migration from one
signer to another.
BR,
Libor
Dne 08. 11. 21 v 20:28 Luveh Keraph napsal(a):
I have been trying to get a better understanding
concerning the
information Knot stores in its KASP. Knot adds new key
information into the KASP by means of the kasp_db_add_key function.
One of the arguments to this function is a pointer to a key_params_t
structure, one of whose members is called is_pub_only. This would seem
to imply that the KASP may contain information about key pairs such
that only the public component of the key pair is available to Knot.
Under what set of circumstances would such a key be stored in the
KASP? Since they are used for signing RRs, any KSKs and ZSKs in the
KASP have to be complete, in that both the private and the public
components are available to Knot (I know that the private component
itself is not present in the KASP, but that's OK). A KASP key for
which the private component is not available could be used for
verifying signatures - but that's not something that Knot does, right?
So, under what set circumstances would Knot add a key to the KASP such
that the is_pub_only member is set to true?