Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Tony Finch <dot@dotat.at>
Newsgroups: comp.protocols.dns.bind
Subject: Re: How to prepublish additional DNSKEY
Date: Wed, 8 Jul 2020 16:32:29 +0100
Lines: 22
Approved: bind-users@lists.isc.org
Message-ID: <mailman.647.1594222325.942.bind-users@lists.isc.org>
References: <3E18C1A0C550C44DA156DA5DA8ECCC6AB622808F@NICS-EXCH2.sbg.nic.at> <alpine.DEB.2.20.2007081628490.9145@grey.csi.cam.ac.uk>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
To: Klaus Darilion <klaus.darilion@nic.at>
In-Reply-To: <3E18C1A0C550C44DA156DA5DA8ECCC6AB622808F@NICS-EXCH2.sbg.nic.at>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Precedence: list
Xref: csiph.com comp.protocols.dns.bind:15931

Klaus Darilion <klaus.darilion@nic.at> wrote:
>
> A signed zone shall be moved to another DNS provider. Hence I want to
> add the public KSK of the gaining DNS provider as additional DNSKEY to
> the zone.

I guess you might already have seen this draft - it discusses long-term
multi-provider setups rather than transitional ones, so it isn't direcly
on point, but it still has some useful ideas.

https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec

> So, how is the correct process to add an additional DNSKEY (only the public key is known).

I think you are looking for `dnssec-importkey`.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Viking, North Utsire, South Utsire, Northeast Forties: Northwesterly 4 to 6,
becoming variable 2 to 4 except in South Utsire. Slight or moderate. Showers.
Good.