Hi all,

to make things clear, I would add some notes.

First, one needs to distinguish two possibilities:

1) importing the keys from previous software as they are, both their public and private parts, and continue signing with the same keys while switched to new software

For this, you probably utilize some of the keymgr commands: import-pem, import-pkcs11, import-bind.

2) switching software together with all key's roll-over -- in this case there is no need for importing the private keys, but for some time, the new public keys must be pre-published in the old software before the migration, and for some time the old public keys must be post-published in the new software

For this, you might use the generate command for creating new Knot keys and maybe import-pub command to enable post-publishing of old keys (the Bind format is relatively straight-forward, so it can be "faked" manually). Note that this might be tricky to do correctly.

(the method (2) is probably the same as "Changing DNS operators", because they usually don't believe each other so that they would share private keys ;) )



Dne 14.01.20 v 09:59 Daniel Salzman napsal(a):
Hi Thomas,

It's not clear what is the source DNS software. Is it Bind or Knot DNS?

The keymgr import is the right way. But you have to import full keys
(private and public parts) for a seamless operation.


On 1/14/20 12:37 AM, Thomas wrote:

I need to import dnskeys (KSKs & ZSKs) from an existing zone to my own
zone. This needs to be done due to a name server change without breaking
the chain of trust according to RFC6781 - Section 4.3.5.  "Changing DNS

I read in the KNon documentation that manual added dnskeys will be
removed when the zone gets signed:

"Updating the DNSKEY records. The whole DNSKEY set in zone apex is
replaced by the keys from the KASP database. Note that keys added into
the zone file manually will be removed. To add an extra DNSKEY record
into the set, the key must be imported into the KASP database (possibly

So I need to import these keys into the KASP via the keymgr tool, right?
There is the "keymgr import-pub" method that expects a key in BIND
format. Is that the appropriate method for my task? If so, how do I
convert a DNSKEY Record into a Bind public key file?

Thanks a lot!


Reply via email to