Hi all,
we'd like to inform you about recently found bug in Knot DNS 2.9.x.
The bug affects automatic key roll-overs when automatic key management
is configured
https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#automatic-dnssec-sig…
The ZSK, CSK or algorithm roll-over might be finished too early, so that
DNSKEY and RRSIG records in resolvers' caches get out of sync, leading
to temporary DNSSEC validation failure.
Affected versions are Knot DNS 2.9.0 -- 2.9.4.
We will release fixing version 2.9.5 soon.
In the meantime, we recommend to apply the workaround: set the
configuration option zone-max-ttl
https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#zone-max-ttl
explicitly to a value greater or equal to maximal TTL among all records
in the zone. (Remove the workaround once upgraded to fixed version.)
Many thanks to Anand Buddhdev from RIPE NCC for finding this bug.
Caring regards,
Libor Peltan
CZ.NIC
We're consolidating servers, and as a result. I need to transfer
some the IPs, zones && keys to other servers.
I'm trying to find the least eventful way to accomplish this.
I attempted to transfer (signed) zones and IPs once before. But
the slaves wouldn't accept the zones and I ultimately had to
purge the journals on all the servers I had control of, and
re-key and re-sign the zones to make everything work as intended.
All the zones are written/kept on disk (except changes that haven't
already been flushed to disk from the DB).
I'm wondering if it's enough to freeze all the zones on their
current serves. Then shutdown the server(s), and transfer the
zones, keys, and merge the configs onto the new servers would
be the correct way to do this? If not. Please advise.
Thank you for all your time, and consideration.
--Chris
