Re: [knot-dns-users] import public dnskey

2020-01-14 Thread Daniel Salzman
Hi Thomas, It's not clear what is the source DNS software. Is it Bind or Knot DNS? The keymgr import is the right way. But you have to import full keys (private and public parts) for a seamless operation. Daniel On 1/14/20 12:37 AM, Thomas wrote: > Hi! > > I need to import dnskeys (KSKs & ZSKs

Re: [knot-dns-users] import public dnskey

2020-01-14 Thread libor.peltan
Hi all, to make things clear, I would add some notes. First, one needs to distinguish two possibilities: 1) importing the keys from previous software as they are, both their public and private parts, and continue signing with the same keys while switched to new software For this, you probab

Re: [knot-dns-users] import public dnskey

2020-01-14 Thread Thomas E.
Hi Libor, our case is exactly what you described in 2) I was able to import dnskey records from the other zone via "keymgr import-pub" method. So, I guess when I sign the zone the "foreign" dnskey record will just get signed like the others records. Thanks, Thomas Am 14.01.20 um 10:34 sch

[knot-dns-users] DS Records with "keymgr ds"

2020-01-14 Thread Thomas E.
Hi, the command "keymgr ds" gives me 2 DS records. One of Type 2 and one of Type 4. Is it possible to get Type 1 also? Thanks, Thomas -- https://lists.nic.cz/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] DS Records with "keymgr ds"

2020-01-14 Thread libor.peltan
Hi, for DS records, the digest types are: 1 = SHA-1 2 = SHA-256 3 = SHA-384 Why would you need to obtain a SHA-1 hashed DS record? Libor Dne 14.01.20 v 17:37 Thomas E. napsal(a): Hi, the command "keymgr ds" gives me 2 DS records. One of Type 2 and one of Type 4. Is it possible to get Ty

Re: [knot-dns-users] DS Records with "keymgr ds"

2020-01-14 Thread David VaĊĦek
Hello, just to correct Libor's little typo (Libor has just left his computer): 4 = SHA-384 Regards, David On 2020-01-14 18:00, libor.peltan wrote: Hi, for DS records, the digest types are: 1 = SHA-1 2 = SHA-256 3 = SHA-384 Why would you need to obtain a SHA-1 hashed DS record? Libor Dn

Re: [knot-dns-users] DS Records with "keymgr ds"

2020-01-14 Thread daniel . salzman
Thomas, keymgr no longer generates DS for algorithm 1 (SHA-1) as it's deprecated. Especially nowadays. See https://tools.ietf.org/html/rfc8624#section-3.3 Daniel On 2020-01-14 17:37, Thomas E. wrote: Hi, the command "keymgr ds" gives me 2 DS records. One of Type 2 and one of Type 4. Is it

Re: [knot-dns-users] DS Records with "keymgr ds"

2020-01-14 Thread Thomas
Hi Daniel, thanks a lot. I only have seen Type 1 and 2 in the wild, but never Type 4 so far. That is exactly the RFC I was looking for, thanks! Thomas On 14.01.20 19:13, daniel.salz...@nic.cz wrote: > Thomas, > > keymgr no longer generates DS for algorithm 1 (SHA-1) as it's > deprecated. Especi