Re: [knot-dns-users] keymgr doesn't delete (remove) keys

On Fri, 21 Aug 2020 13:00:26 -0700 knot(a)tacomawireless.net said OK none of this is working as expected; knotc -f zone-purge some.zone. keymgr some.zone. list iso still shows keys knotc -f zone-purge some.zone. +journal +kaspdb +timers +expire keymgr some.zone. list iso nope. all the keys are still there. so I knotc zone-freeze some.zone. knotc zone-flush some.zone. no changes on disk. So I simply edit whats already there on disk -- delete all key info, and leave only whats required for an unsigned zone. keymgr some.zone. generate algorithm=RSASHA1 zsk=true size=1024 active=20200821143536 warning: creating key with different algorithm than configured in the policy keyhash... what? the conf file lists: algorithm: RSASHA1 ksk-size: 2048 zsk-size: 1024 Oh well. Nothing else is working. Let's continue... keymgr some.zone. generate algorithm=RSASHA1 ksk=true size=2048 active=20200821143536 warning: creating key with different algorithm than configured in the policy keyhash... Hmm... same problem. Big surprise. :-( knotc zone-thaw some.zone. knotc zone-sign some.zone. service knot restart OK the zone on disk was (re?)signed. let's have a look at the records in the DB: keymgr some.zone. list iso Bummer. Now there are 7 records (keys) where there were only 4. I give up on this version. If I delete the DB's, and simply transfer the zones on disk to the new server (eliminating the key info). Then sign them on the new server under the current version of knot. Will everything work as advertized? Or am I simply misunderstanding the whole thing? Thank you for all your time, and consideration. --Chris