How to prepublish additional DNSKEY

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to prepublish additional DNSKEY

Klaus Darilion-2
Hello all!

A signed zone shall be moved to another DNS provider. Hence I want to add the public KSK of the gaining DNS provider as additional DNSKEY to the zone. My setup ist:

Bind1 as hidden primary --> Bind2 as bump-in-the-wire signer -> public facing secondaries

I tried to add the DNSKEY to the zone file of Bind1. Bind1 accepts the DNSKEY. But Bind2 only shows the DNSKEYs from the local key-directory, the original DNSKEY is removed/ignored.

I also tried to add the additonal DNSKEY into the key-directory of Bind2 (no .private file, only .key file). It did not worked too.

So, how is the correct process to add an additional DNSKEY (only the public key is known).

Thanks
Klaus

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prepublish additional DNSKEY

Tony Finch
Klaus Darilion <[hidden email]> wrote:
>
> A signed zone shall be moved to another DNS provider. Hence I want to
> add the public KSK of the gaining DNS provider as additional DNSKEY to
> the zone.

I guess you might already have seen this draft - it discusses long-term
multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.

https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec

> So, how is the correct process to add an additional DNSKEY (only the public key is known).

I think you are looking for `dnssec-importkey`.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Viking, North Utsire, South Utsire, Northeast Forties: Northwesterly 4 to 6,
becoming variable 2 to 4 except in South Utsire. Slight or moderate. Showers.
Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prepublish additional DNSKEY

Shumon Huque
On Wed, Jul 8, 2020 at 11:33 AM Tony Finch <[hidden email]> wrote:
Klaus Darilion <[hidden email]> wrote:
>
> A signed zone shall be moved to another DNS provider. Hence I want to
> add the public KSK of the gaining DNS provider as additional DNSKEY to
> the zone.

I guess you might already have seen this draft - it discusses long-term
multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.

https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec

Thanks for mentioning our draft Tony. The provider handoff case can just
be considered a transitional state of the multi-provider setup, so the same
technique can be applied to Klaus's problem. Klaus's case just needs a
further step of detaching the losing provider later by deleting their ZSK.

Our scheme imports only the ZSK public key rather than the KSK.  I don't
think importing the KSK alone works, because the other provider's data
is signed by their ZSK. I suggest looking at the steps outlined in Model 2,
which is more applicable to the general case of provider transfer.


> So, how is the correct process to add an additional DNSKEY (only the public key is known).

I think you are looking for `dnssec-importkey`.

Yes, dnssec-importkey works fine with BIND's auto-dnssec configuration
for this task. If you're signing outside BIND (e.g. with dnssec-signzone), I
assume you can stitch together the DNSKEY RRset with the imported ZSK
manually or with some scripting.

Shumon Huque


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

AW: How to prepublish additional DNSKEY

Klaus Darilion-2
In reply to this post by Tony Finch
> > So, how is the correct process to add an additional DNSKEY (only the public
> key is known).
>
> I think you are looking for `dnssec-importkey`.

Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
rndc loadkeys myzone
rndc sign myzone

But the additional key is not added to the reponse of DNSKEY queries.

I am using Bind - 9.12.2-P2. Is this supported by Bind 9.12? (upgrade/downgrade is currently not possible)

Thanks
Klaus
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AW: How to prepublish additional DNSKEY

Daniel Stirnimann

On 09.07.20 11:51, Klaus Darilion wrote:

>>> So, how is the correct process to add an additional DNSKEY (only the public
>> key is known).
>>
>> I think you are looking for `dnssec-importkey`.
>
> Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
> rndc loadkeys myzone
> rndc sign myzone
>
> But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AW: How to prepublish additional DNSKEY

Shumon Huque
On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <[hidden email]> wrote:

On 09.07.20 11:51, Klaus Darilion wrote:
>>> So, how is the correct process to add an additional DNSKEY (only the public
>> key is known).
>>
>> I think you are looking for `dnssec-importkey`.
>
> Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
> rndc loadkeys myzone
> rndc sign myzone
>
> But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

You can also set the timing metadata with dnssec-importkey itself (so that you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:

    dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

Shumon.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

AW: AW: How to prepublish additional DNSKEY

Klaus Darilion-2

Thanks - now it works.

Klaus

 

Von: Shumon Huque <[hidden email]>
Gesendet: Donnerstag, 9. Juli 2020 13:44
An: Daniel Stirnimann <[hidden email]>
Cc: Klaus Darilion <[hidden email]>; [hidden email]
Betreff: Re: AW: How to prepublish additional DNSKEY

 

On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann <[hidden email]> wrote:


On 09.07.20 11:51, Klaus Darilion wrote:
>>> So, how is the correct process to add an additional DNSKEY (only the public
>> key is known).
>>
>> I think you are looking for `dnssec-importkey`.
>
> Indeed. I imported the key and got a .key and .private file. I put those files in the same directory as the other keys, gave read permissions to bind and executed:
> rndc loadkeys myzone
> rndc sign myzone
>
> But the additional key is not added to the reponse of DNSKEY queries.

Does the key have correct timing metadata in the key file?

Have a look at "dnssec-settime".

 

You can also set the timing metadata with dnssec-importkey itself (so that you don't have to separately run dnssec-settime), e.g. to activate key 5 minutes from now:

 

    dnssec-importkey -P +5mi -K Kexample.com.+013+23941.key

 

Shumon.

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users