OK, thanks - I thought that might be the case, and your confirmation is therefore much appreciated.
On Tue, Nov 9, 2021 at 1:27 AM libor.peltan <[email protected]> wrote: > Hi Luveh, > > public-only keys can appear in KASP DB after they're imported manually > with `keymgr import-pub` command. > > They are obviously not used when signing the zone. But they may still > appear in the DNSKEY RRSet. > > The use-case is, when you need to publish a DNSKEY record of some key that > you have just in public form. For example, a migration from one signer to > another. > > BR, > > Libor > Dne 08. 11. 21 v 20:28 Luveh Keraph napsal(a): > > I have been trying to get a better understanding concerning the > information Knot stores in its KASP. Knot adds new key information into > the KASP by means of the kasp_db_add_key function. One of the arguments to > this function is a pointer to a key_params_t structure, one of whose > members is called is_pub_only. This would seem to imply that the KASP may > contain information about key pairs such that only the public component of > the key pair is available to Knot. > > Under what set of circumstances would such a key be stored in the KASP? > Since they are used for signing RRs, any KSKs and ZSKs in the KASP have to > be complete, in that both the private and the public components are > available to Knot (I know that the private component itself is not present > in the KASP, but that's OK). A KASP key for which the private component is > not available could be used for verifying signatures - but that's not > something that Knot does, right? > > So, under what set circumstances would Knot add a key to the KASP such > that the is_pub_only member is set to true? > > >
-- https://lists.nic.cz/mailman/listinfo/knot-dns-users
