From Newsgroup: comp.protocols.dns.bind

So, how is the correct process to add an additional DNSKEY (only the public

key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone
But the additional key is not added to the reponse of DNSKEY queries.
I am using Bind - 9.12.2-P2. Is this supported by Bind 9.12? (upgrade/downgrade is currently not possible)
Thanks
Klaus
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind


On 09.07.20 11:51, Klaus Darilion wrote:

So, how is the correct process to add an additional DNSKEY (only the public >> key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

Daniel
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--0000000000009d918605aa00bd4c
Content-Type: text/plain; charset="UTF-8"

On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <
daniel.stirnimann@switch.ch> wrote:

On 09.07.20 11:51, Klaus Darilion wrote:

So, how is the correct process to add an additional DNSKEY (only the public

key is known).

I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those

files in the same directory as the other keys, gave read permissions to
bind and executed:

rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

You can also set the timing metadata with dnssec-importkey itself (so that
you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:

dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

Shumon.

--0000000000009d918605aa00bd4c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Thu, Jul 9, 2020 at 6:44 AM Daniel Sti= rnimann &lt;<a href=3D"mailto:daniel.stirnimann@switch.ch">daniel.stirniman= n@switch.ch</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote = class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex"><br>
On 09.07.20 11:51, Klaus Darilion wrote:<br>
&gt;&gt;&gt; So, how is the correct process to add an additional DNSKEY (on=
ly the public<br>
&gt;&gt; key is known).<br>
&gt;&gt;<br>
&gt;&gt; I think you are looking for `dnssec-importkey`.<br>
&gt; <br>
&gt; Indeed. I imported the key and got a .key and .private file. I put tho=
se files in the same directory as the other keys, gave read permissions to = bind and executed:<br>
&gt; rndc loadkeys myzone<br>
&gt; rndc sign myzone<br>
&gt; <br>
&gt; But the additional key is not added to the reponse of DNSKEY queries.<=


Does the key have correct timing metadata in the key file?<br>

Have a look at &quot;dnssec-settime&quot;.<br></blockquote><div><br></div><= div>You can also set the timing metadata with dnssec-importkey itself (so t= hat you don&#39;t have to separately run dnssec-settime), e.g. to activate = key 5 minutes from now:</div><div><br></div><div>=C2=A0 =C2=A0 dnssec-impor= tkey -P +5mi -K Kexample.com.+013+23941.key<br></div><div><br></div><div>Sh= umon.</div><div><br></div></div></div>

--0000000000009d918605aa00bd4c--
--- Synchronet 3.18a-Linux NewsLink 1.113