• AW: How to prepublish additional DNSKEY

    From Klaus Darilion@klaus.darilion@nic.at to Tony Finch on Thu Jul 9 11:51:03 2020
    From Newsgroup: comp.protocols.dns.bind

    So, how is the correct process to add an additional DNSKEY (only the public
    key is known).

    I think you are looking for `dnssec-importkey`.
    Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
    rndc loadkeys myzone
    rndc sign myzone
    But the additional key is not added to the reponse of DNSKEY queries.
    I am using Bind - 9.12.2-P2. Is this supported by Bind 9.12? (upgrade/downgrade is currently not possible)
    Thanks
    Klaus
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Daniel Stirnimann@daniel.stirnimann@switch.ch to Klaus Darilion on Thu Jul 9 12:43:57 2020
    From Newsgroup: comp.protocols.dns.bind


    On 09.07.20 11:51, Klaus Darilion wrote:
    So, how is the correct process to add an additional DNSKEY (only the public >> key is known).

    I think you are looking for `dnssec-importkey`.

    Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
    rndc loadkeys myzone
    rndc sign myzone

    But the additional key is not added to the reponse of DNSKEY queries.

    Does the key have correct timing metadata in the key file?

    Have a look at "dnssec-settime".

    Daniel
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Shumon Huque@shuque@gmail.com to Daniel Stirnimann on Thu Jul 9 07:43:50 2020
    From Newsgroup: comp.protocols.dns.bind

    --0000000000009d918605aa00bd4c
    Content-Type: text/plain; charset="UTF-8"

    On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <
    daniel.stirnimann@switch.ch> wrote:


    On 09.07.20 11:51, Klaus Darilion wrote:
    So, how is the correct process to add an additional DNSKEY (only the public
    key is known).

    I think you are looking for `dnssec-importkey`.

    Indeed. I imported the key and got a .key and .private file. I put those
    files in the same directory as the other keys, gave read permissions to
    bind and executed:
    rndc loadkeys myzone
    rndc sign myzone

    But the additional key is not added to the reponse of DNSKEY queries.

    Does the key have correct timing metadata in the key file?

    Have a look at "dnssec-settime".


    You can also set the timing metadata with dnssec-importkey itself (so that
    you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:

    dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

    Shumon.

    --0000000000009d918605aa00bd4c
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr">On Thu, Jul 9, 2020 at 6:44 AM Daniel Sti= rnimann &lt;<a href=3D"mailto:daniel.stirnimann@switch.ch">daniel.stirniman= n@switch.ch</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote = class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
    id rgb(204,204,204);padding-left:1ex"><br>
    On 09.07.20 11:51, Klaus Darilion wrote:<br>
    &gt;&gt;&gt; So, how is the correct process to add an additional DNSKEY (on=
    ly the public<br>
    &gt;&gt; key is known).<br>
    &gt;&gt;<br>
    &gt;&gt; I think you are looking for `dnssec-importkey`.<br>
    &gt; <br>
    &gt; Indeed. I imported the key and got a .key and .private file. I put tho=
    se files in the same directory as the other keys, gave read permissions to = bind and executed:<br>
    &gt; rndc loadkeys myzone<br>
    &gt; rndc sign myzone<br>
    &gt; <br>
    &gt; But the additional key is not added to the reponse of DNSKEY queries.<=


    Does the key have correct timing metadata in the key file?<br>

    Have a look at &quot;dnssec-settime&quot;.<br></blockquote><div><br></div><= div>You can also set the timing metadata with dnssec-importkey itself (so t= hat you don&#39;t have to separately run dnssec-settime), e.g. to activate = key 5 minutes from now:</div><div><br></div><div>=C2=A0 =C2=A0 dnssec-impor= tkey -P +5mi -K Kexample.com.+013+23941.key<br></div><div><br></div><div>Sh= umon.</div><div><br></div></div></div>

    --0000000000009d918605aa00bd4c--
    --- Synchronet 3.18a-Linux NewsLink 1.113