15 Pro
2021
15 Pro
'21
22:28
On 2021-12-15 13:01, Anand Buddhdev wrote:
On 15/12/2021 20:18, Chris wrote:
Hi Chris,
[snip config details]
Thanks for the
reply, Anand! :-)
I'm well aware of all the complexities, and am well confident in knots
abilities
to DTRT. But "stuff" happens. fe; after creating the additional policy
some of the zones are _also_ adopting that new policy as _well_ as the
original
policy. IOW there are some zones with both RSASHA1 _and_ RSASHA256 hashes in
them.
config (diffs):
policy:
- id: rsa1
algorithm: RSASHA1
zsk-size: 1024
policy:
- id: rsa2
algorithm: RSASHA256
zsk-size: 2048
ALL zones but the test zone mentioned earlier:
- domain: domain.name
...
dnssec-signing: on
dnssec-policy: rsa1
So why do (some) zones arbitrarily pick up the added policy when it
it is not the policy declared within the domain block?
IOW dnssec-policy: rsa1 is the only dnssec-policy listed within all the
domain blocks, and it's listed within all of the domain blocks, save
the earlier test domain. So "stuff" happened. :-/
Thanks again, for taking the time to respond, Anand.
-- Chris
How would I best make this change? Is it enough
to simply change algorithm:
and knot will just do the right thing?
Yes, please! Just change the algorithm and let Knot do its thing. It will do
the
right thing. Please do *not* fiddle with things manually. DNSSEC is complex,
and
algorithm roll-overs require care. The developers of Knot have put in a lot
of
care into handling algorithm roll-overs. Trust their expertise.
Regards,
Anand