Hi Tobias,
>Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
In simple DNSSEC terms, the idea of a rollover, regardless if it was
forĀ ZSK, KSK or even an algorithm rollover, is that old settings
appear in the same zone that will have new settings. This is to help
validating resolvers to still use old (cached) RRSigs or DS records
and respond to them, as well as caching new ones, until old ones
expire. If you remove old RRSigs without giving time for resolvers
to cache new details, then resolvers will fail to accept new zone
details, even if they are being signed by the intended zone master
signer. This is more properly explained in RFC7583.
Now, how long it takes for a 'rolled over' item to remain in your
zone, this is what you should be able to define in your policy
settings. I can't comment on how Knot does it because we don't use
it do DNSSEC management, but it's a slave to our master signer so
all our zones served by Knot are DNSSEC secured.
HTH,
Kareem.
--
Abdulkareem H. Ali
Network Operations Engineer
CentralNic Group PLC
London Stock Exchange Symbol: CNIC
+44 20 3388 0600
www.CentralNic.com
CentralNic Group PLC is a company registered in England and Wales with
company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R
6AR.