Hi all,
I'm running {knot,knot-dnsutils} 2.3.0-3~bpo8+1 out of Debian
jessie-backports, and enabled automatic DNSSEC signing, which works
great!
I've got two question, as per the subject:
- According to [1], "KSK rollover is not implemented.". Does this mean,
if the key was created and exists, then currently knot doesn't change
/ rollover the KSK? Is it safe to assume, that as long one is using
this version, the key stays the same?
- I'm running Unbound to do resolving and forwarding some forward and
corresponding reverse zones to knot. To make DNSSEC work, I've created
a trusted-keys { ... } file with all the KSK created and used by /
with knot. Right now, I've created this file manually, using
$ keymgr zone key show ...
and
$ cat $name_of_zone.json
and putting it all together.
Right now, is there a tool / utility / command which does this
already?
TIA and all the best,
Georg
[1]
https://www.knot-dns.cz/docs/2.x/html/configuration.html#limitations