I have found a situation where I think the Knot behaviour around
algorithm rolls could be better. It's one of those "prevent the user
from hurting themselves" situations, in which I would have hurt myself
if this had involved anything other than an old, unused zone. :)
The suggestion is a simple one: when doing an automated algorithm
roll, the KSK submission check should remain negative until the
parental DS set exactly matches the set requested by the published CDS
set (substitute DNSKEY/CDNSKEY as appropriate).
In a situation where CDS scanning is not being done by my parent, I
slipped up and only added the new DS record to the parent, leaving the
old algorithm's DS record also present. Knot did its submission
check, saw the new DS record, and happily continued on with the
algorithm roll. This eventually led to a situation that was in
violation of RFC 6840 § 5.11 [0]:
A signed zone MUST include a DNSKEY for each algorithm present in
the zone's DS RRset and expected trust anchors for the zone.
I ended up with a situation where I had the new and old DS, but only
the new DNSKEY [1]. This seems like a situation that could be avoided
by extending the logic of the KSK submission check. In addition to
saving users from themselves, it would also help if a situation
occurred where the parent had a bug in their CDS processing
implementation and failed to remove the old DS.
[0]: <https://datatracker.ietf.org/doc/html/rfc6840#section-5.11>
[1]: <https://dnsviz.net/d/dns-oarc.org/Yg7ZDw/dnssec/>