Re: [knot-dns-users] KSK Rollover - Lab Policy For Testing

Hi Daniel, thanks a lot for your response! Do you mean the submission to the parent registry's nameservers? Yes, that has been done. The internal sate of the current KSK looks like this: 87472c54eb669c66353503caa0a386b1e95602de ksk=yes zsk=no tag=32875 algorithm=8 size=2048 public-only=no created=1551267572 pre-active=0 publish=1551430817 ready=1551430817 active=0 retire-active=0 retire=0 post-active=0 remove=0 Hmm, shouldn't it be "active=1"? In the logfile is says the sate is active: 2019-03-03T20:29:40 info: [xx.de.] DNSSEC, key, tag 32875, algorithm RSASHA256, KSK, public, ready, active By that you mean the highest TTL in the whole zone? Last question: Is this parameter mandatory? ksk-submission: test_zone_sbm Thanks a lot, Thomas On 03.03.19 18:45, daniel.salzman(a)nic.cz wrote: > Hi Thomas, > > > Try something like: > > policy: >  - id: test >    ksk-lifetime: 1200 >    zsk-lifetime: 600 >    propagation-delay: 0 >    dnskey-ttl: 60 > > > Best, > Daniel > > On 2019-03-03 17:26, Thomas wrote: >> Hi, >> >> we are testing knot at the moment and are struggling with the concept of >> automatic KSK rollovers. We are planning to fetch the current CDS for >> further automatic processing and try to figure out how to achieve a >> policy that performs KSK rollovers in a short period of time for testing >> purposes. Until now we have not seen any KSK rollovers and we are not >> sure why this is not happening. Can someone show me an example of a >> policy that schedules a KSK rollover within a very short period, let's >> say once a day? What policy parameters must be set? And what must be the >> zone's parameters in terms of TTL and SOA values (expire, refresh, etc)? >> >> >> Thanks a lot, >> Thomas