01-11-2017 06:38 AM - edited 01-11-2017 06:39 AM
A question regarding the Import keyset feature for Infoblox DNS
Moving a DNSSEC-signed zone from Bind to Infoblox could include importing existing DNSKEY/KSK from the Bind DNS to sign the zone with existing and new key. As stated in RFC 6781 section 188.8.131.52 - DNSSEC Operational Practices.
However, the Import Keyset feature is not well documented and the support states:
"Please note that you would not be able to import signed zone with the Key that you used in Bind. Once the zone is migrated to Infoblox, you would have to sign the zone once it is imported to Infoblox"
One could of course take the approach to unpublish the existing DS-records, import zone and sign it in Grid and publish the new keys at the Registrar
Anyone with more info regarding the Import Keyset feature?
Unfortunately it is not possible to import the private keys and the method suggested by support is also what we resort to during PS led migrations.