pdns icon indicating copy to clipboard operation
pdns copied to clipboard
verified publisher icon PowerDNS

Cryptokeys import doesn't directly accept exported data

Open sdomi opened this issue 2 months ago • 2 comments

  • Program: Authoritative
  • Issue type: Feature request

Short description

When exporting cryptokey data through GET /servers/{server_id}/zones/{zone_id}/cryptokeys/{cryptokey_id}, the resulting JSON object cannot be directly POSTed to /servers/{server_id}/zones/{zone_id}/cryptokeys. It errors out with the following message:

{"error": "Either you submit just the 'privatekey' field or you leave 'privatekey' empty and submit the other fields."}

This message is somewhat misleading too, as sending just privatekey results in...

{"error": "Key 'keytype' not present or not a String"}

I also haven't seen documentation on which fields are exactly required (this page doesn't seem to mention it?) but keytype and privatekey seem to be enough.

Usecase

Easier importing / migrations between servers. Habbie mentioned on IRC that this may be something desirable :)

sdomi avatar Nov 01 '25 20:11 sdomi

I also haven't seen documentation on which fields are exactly required

bits and algorithm are currently forbidden if privatekey is set. keytype/active/published are used for both importing and generating, so those are always allowed.

Habbie avatar Nov 01 '25 21:11 Habbie

Possible steps:

  • document that if privatekey is present, other fields (algorithm/bits) will be ignored (and implement that, of course)
  • instead of ignoring the fields, check them against the provided key. I don't know what kind of mistake this will prevent, but it should not get in the way of the desired import/export flow

Habbie avatar Nov 01 '25 21:11 Habbie