Hi Maxi,

when it comes to updating the parent zone's DS during the rollover, Knot automatically (unless overriden by config) publishes CDS and CDNSKEY records in your zone. You can query your server and use them directly, the parent's DS shall be equal to your CDS.

Libor

Dne 26.10.18 v 18:24 Maximilian Engelhardt napsal(a):
Hi,

I'm having a question about DNSSEC KSK rollover and obtaining the relevant 
information for submission to the parent zone of the new key.

I'm currently using these steps:

- running "keymgr example.org list"
- manually identifying the new key using the parameters "ksk=yes" and having a 
look at the created, publish, ready and active parameters. The new key always 
seems to be the one with active=0 and I also check the dates of the other 
parameters for plausibility. I then note the tag of the identified key.
- using "keymgr example.org dnskey <keytag>" or "keymgr example.org ds 
<keytag>" to get the corresponding information for submission to the parent 
zone.

Is there an easier way of achieving this, especially without the manual key 
identification step? Ideally would be a single command I can run and specify 
the zone of interest and it will output the dnskey and/or ds information of 
the new key.

Thanks,
Maxi