• AW: AW: How to prepublish additional DNSKEY

    From Klaus Darilion@klaus.darilion@nic.at to Shumon Huque on Wed Jul 15 14:30:15 2020
    From Newsgroup: comp.protocols.dns.bind

    This is a multi part MIME message.

    --_NextPart_1_5gyxqv04pFMCYrkVZcKvKhyVZqz
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

    Thanks - now it works.
    Klaus

    Von: Shumon Huque <shuque@gmail.com>
    Gesendet: Donnerstag, 9. Juli 2020 13:44
    An: Daniel Stirnimann <daniel.stirnimann@switch.ch>
    Cc: Klaus Darilion <klaus.darilion@nic.at>; bind-users@lists.isc.org
    Betreff: Re: AW: How to prepublish additional DNSKEY

    On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <daniel.stirnimann@switch.c= h<mailto:daniel.stirnimann@switch.ch>> wrote:

    On 09.07.20 11:51, Klaus Darilion wrote:
    So, how is the correct process to add an additional DNSKEY (only the pub= lic
    key is known).

    I think you are looking for `dnssec-importkey`.

    Indeed. I imported the key and got a .key and .private file. I put those f=
    iles in the same directory as the other keys, gave read permissions to bind = and executed:
    rndc loadkeys myzone
    rndc sign myzone

    But the additional key is not added to the reponse of DNSKEY queries.

    Does the key have correct timing metadata in the key file?

    Have a look at "dnssec-settime".

    You can also set the timing metadata with dnssec-importkey itself (so that y= ou don't have to separately run dnssec-settime), e.g. to activate key 5 minu= tes from now:

    =20 dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

    Shumon.

    --_NextPart_1_5gyxqv04pFMCYrkVZcKvKhyVZqz
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

    <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micro= soft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xm= lns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://w= ww.w3.org/TR/REC-html40">
    <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">
    <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style><!--
    /* Font Definitions */
    @font-face
    =09{font-family:"Cambria Math";
    =09panose-1:2 4 5 3 5 4 6 3 2 4;}
    @font-face
    =09{font-family:Calibri;
    =09panose-1:2 15 5 2 2 2 4 3 2 4;}
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
    =09{margin:0cm;
    =09margin-bottom:.0001pt;
    =09font-size:12.0pt;
    =09font-family:"Times New Roman",serif;}
    a:link, span.MsoHyperlink
    =09{mso-style-priority:99;
    =09color:blue;
    =09text-decoration:underline;}
    a:visited, span.MsoHyperlinkFollowed
    =09{mso-style-priority:99;
    =09color:purple;
    =09text-decoration:underline;}
    p.msonormal0, li.msonormal0, div.msonormal0
    =09{mso-style-name:msonormal;
    =09mso-margin-top-alt:auto;
    =09margin-right:0cm;
    =09mso-margin-bottom-alt:auto;
    =09margin-left:0cm;
    =09font-size:12.0pt;
    =09font-family:"Times New Roman",serif;}
    span.E-MailFormatvorlage18
    =09{mso-style-type:personal-reply;
    =09font-family:"Calibri",sans-serif;
    =09color:#1F497D;}
    =2EMsoChpDefault
    =09{mso-style-type:export-only;
    =09font-family:"Calibri",sans-serif;
    =09mso-fareast-language:EN-US;}
    @page WordSection1
    =09{size:612.0pt 792.0pt;
    =09margin:70.85pt 70.85pt 2.0cm 70.85pt;}
    div.WordSection1
    =09{page:WordSection1;}
    </style><!--[if gte mso 9]><xml>
    <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
    </xml><![endif]--><!--[if gte mso 9]><xml>
    <o:shapelayout v:ext=3D"edit">
    <o:idmap v:ext=3D"edit" data=3D"1" />
    </o:shapelayout></xml><![endif]-->
    </head>
    <body lang=3D"DE-AT" link=3D"blue" vlink=3D"purple">
    <div class=3D"WordSection1">
    <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal= ibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">Thanks - now=
    it works.<o:p></o:p></span></p>
    <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal= ibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">Klaus<o:p></= o:p></span></p>
    <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal= ibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p>&nbsp;<= /o:p></span></p>
    <div style=3D"border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4= =2E0pt">
    <div>
    <div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0= cm 0cm">
    <p class=3D"MsoNormal"><b><span lang=3D"DE" style=3D"font-size:11.0pt;font-f= amily:&quot;Calibri&quot;,sans-serif">Von:</span></b><span lang=3D"DE" style= =3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif"> Shumon Huq= ue &lt;shuque@gmail.com&gt;

    <b>Gesendet:</b> Donnerstag, 9. Juli 2020 13:44<br>
    <b>An:</b> Daniel Stirnimann &lt;daniel.stirnimann@switch.ch&gt;<br>
    <b>Cc:</b> Klaus Darilion &lt;klaus.darilion@nic.at&gt;; bind-users@lists.is= c.org<br>
    <b>Betreff:</b> Re: AW: How to prepublish additional DNSKEY<o:p></o:p></span= ></p>
    </div>
    </div>
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    <div>
    <div>
    <p class=3D"MsoNormal">On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann &lt;= <a href=3D"mailto:daniel.stirnimann@switch.ch">daniel.stirnimann@switch.ch</= a>&gt; wrote:<o:p></o:p></p>
    </div>
    <div>
    <blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm=
    0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
    <p class=3D"MsoNormal"><br>
    On 09.07.20 11:51, Klaus Darilion wrote:<br>
    &gt;&gt;&gt; So, how is the correct process to add an additional DNSKEY (onl=
    y the public<br>
    &gt;&gt; key is known).<br>
    &gt;&gt;<br>
    &gt;&gt; I think you are looking for `dnssec-importkey`.<br>
    &gt; <br>
    &gt; Indeed. I imported the key and got a .key and .private file. I put thos=
    e files in the same directory as the other keys, gave read permissions to bi= nd and executed:<br>
    &gt; rndc loadkeys myzone<br>
    &gt; rndc sign myzone<br>
    &gt; <br>
    &gt; But the additional key is not added to the reponse of DNSKEY queries.<b=


    Does the key have correct timing metadata in the key file?<br>

    Have a look at &quot;dnssec-settime&quot;.<o:p></o:p></p>
    </blockquote>
    <div>
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal">You can also set the timing metadata with dnssec-impo= rtkey itself (so that you don't have to separately run dnssec-settime), e.g.=
    to activate key 5 minutes from now:<o:p></o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal">&nbsp; &nbsp; dnssec-importkey -P &#43;5mi -K Kexampl= e.com.&#43;013&#43;23941.key<o:p></o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal">Shumon.<o:p></o:p></p>
    </div>
    <div>
    <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
    </div>
    </div>
    </div>
    </div>
    </div>
    </body>
    </html>

    --_NextPart_1_5gyxqv04pFMCYrkVZcKvKhyVZqz--
    --- Synchronet 3.18a-Linux NewsLink 1.113