Hi,

Knot already supports online signing. See https://www.knot-dns.cz/docs/2.x/singlehtml/index.html#online-sign-online-dnssec-signing

Daniel

On 11/28/2016 02:45 PM, Matthew Pounsett wrote:

On 28 November 2016 at 05:18, Alarig Le Lay <alarig@swordarmor.fr> wrote:

Hi,

I use mod-synth-record to provide some reverse records for a LAN.
tregon-grifon.swordarmor.fr. is signed with DNSSEC, but I have a RRSIG
only for the records in the pasted file.

Yes, this is going to fail. To get around this knot would have to implement signing on-the-fly. I'm not sure if that's on the roadmap anywhere.

If you want to sign tregon-grifon.swirdarmor.fr, then I'd suggest creating an insecure delegation to a separate zone (e.g. dynamic.tregon-grifon.swordarmor.fr) and put your synthesized records in that zone.
_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users