Good morning,
ISC bind is strict about CNAME of NS server:
skipping nameserver 'aa.bb.cz' because it is a CNAME, while resolving
'9.4/4.3.2.1.in-addr.arpa/PTR'.
How about Knot resolver ?
Thanks and best regards
J.Karliak
Howdy,
I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog article and docs. However, I’m getting an error for the signalling zones, but I fail to figure out what I may have overlooked.
error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module 'mod-onlinesign/authsignal', incompatible with automatic signing
Relevant knot.conf snippets (in order):
policy:
- id: ecc
algorithm: ecdsap256sha256
nsec3: on
rrsig-refresh: 7d
mod-onlinesign:
- id: authsignal
nsec-bitmap: [CDS, CDNSKEY]
policy: ecc
template:
- id: default
…
dnssec-signing: on
dnssec-policy: ecc
…
zone:
- domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
module: [mod-authsignal, mod-onlinesign/authsignal]
Any hint appreciated
Best
Erwin