[knot-dns-users] Re: keymgr del-all-old not only for offline KSK?

Knot will be a bump-in-the-wire signer (in current BIND terminology this would be an inline-signer) which transfers zones from a hidden PowerDNS primary. All but one zone will be signed with multiple keys and automatic KSK and ZSK rollovers. All keys generated/stored/obtained on/from Thales nCipher HSMs accessed via PKCS#11. There is one internal TLD which requires special behavior: it requires automatic ZSK rollovers, but the KSK must not roll until Knot is specifically instructed to roll it, and when that happens, it must be rolled with RFC5011 semantics (except that the standby times will be 60 and not the default of 30 days). It is perfectly ok to execute this procedure "manually" by issuing `keymgr' commands; further automation is not required. I don't think there's anything particularly special about this setup other than the requirement for the one zone. You might have inferred from previous communication that this setup is (finally!) replacing a bunch of OpenDNSSEC signers; we feel Knot is far more reliable and stable than that software ever was. Best regards, -JP