From Newsgroup: comp.protocols.dns.bind

Hello all!
A signed zone shall be moved to another DNS provider. Hence I want to add the public KSK of the gaining DNS provider as additional DNSKEY to the zone. My setup ist:
Bind1 as hidden primary --> Bind2 as bump-in-the-wire signer -> public facing secondaries
I tried to add the DNSKEY to the zone file of Bind1. Bind1 accepts the DNSKEY. But Bind2 only shows the DNSKEYs from the local key-directory, the original DNSKEY is removed/ignored.
I also tried to add the additonal DNSKEY into the key-directory of Bind2 (no .private file, only .key file). It did not worked too.
So, how is the correct process to add an additional DNSKEY (only the public key is known).
Thanks
Klaus
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

Klaus Darilion <klaus.darilion@nic.at> wrote:

A signed zone shall be moved to another DNS provider. Hence I want to
add the public KSK of the gaining DNS provider as additional DNSKEY to
the zone.

I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.

https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec

So, how is the correct process to add an additional DNSKEY (only the public key is known).

I think you are looking for `dnssec-importkey`.

Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire, Northeast Forties: Northwesterly 4 to 6, becoming variable 2 to 4 except in South Utsire. Slight or moderate. Showers. Good.
--- Synchronet 3.21d-Linux NewsLink 1.2