20 Bře
2019
20 Bře
'19
13:48
Hi!
We've been experimenting with backups and disaster recovery in our knot
test setup and have been running into a weird issue.
Basically our backup strategy right now is to perform incremental
backups of the /var/lib/knot and the /etc/knot directories via rsync.
When we try to restore these backups knot starts successfully, but logs
the following messages for each of the zones that are currently in a
signed template:
2019-03-08T11:43:05 info: [example.com.] DNSSEC, signing zone
2019-03-08T11:43:05 error: [example.com.] zone event 'DNSSEC re-sign'
failed (invalid parameter)
When we try to query information about these zones via dig we receive a
SERVFAIL rcode for them.
All of the zones that are not processed through the DNSSEC mechanism are
unaffected by this.
We also experienced th same behavior, when we were experimenting with
adding new zones that are signed immediately.
To workaround this problem we currently add the zone in an unsigned
state (aka default template) to knot and after that we switch the
template of the zone to "signed".
This works like a charm for new zones and can also be used to recover
each of the broken zones after restoring the backup, but we'd rather not
use this workaround during disaster recovery as it would impose the
danger of breaking the zones if it is not performed correctly.
The templates and policies in our knot.conf look like this right now:
policy:
- id: shared
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 1d
ksk-lifetime: 2d
ksk-shared: true
ksk-submission: resolver
nsec3: true
cds-cdnskey-publish: always
template:
- id: default
storage: "/var/lib/knot"
semantic-checks: on
global-module: mod-stats
master: primary
notify: secondaries
acl: [primary, secondaries]
serial-policy: unixtime
dnssec-signing: off
- id: signed
dnssec-signing: on
dnssec-policy: shared
master: primary
notify: secondaries
acl: [primary, secondaries]
serial-policy: unixtime
zone:
- domain: example.com
template: signed
Thanks,
Thomas