Re: [knot-dns-users] DNSSEC with multiple authoritative servers

Hi Nils, thank you for considering Knot DNS. You are arranging a non-trivial DNS setup, I hope you are already familiar with some DNSSEC basics :) The issue with the idea of having just KSK shared, with distinct ZSKs at each server is, when a resolver somehow obtains DNSKEY from one of your servers and RRSIG (of any other record than DNSKEY) from another (this can happen in different times since the resolver has a cache). You can do this only if you are able to guarantee (somehow - for example your anycast can do this thru BGP), that any resolver will always talk consistently with just one of your servers. I suspect this is not entirely possible. I would recommend to continuously synchronize the keys on all of your servers, so that the keys are identical everywhere. To achieve automatic ZSK roll-overs, you may configure it automatic on exactly one of your servers, and prepare some scripts that would do the synchronization to all others, where `manual` would be set. The synchronization delay must be added to `propagation-delay` setting so that it causes no temporary bogus. There are multiple possibilities how to synchronize keys: 1) use `knotc zone-backup +kaspdb` and `knotc zone-restore +kaspdb` and transfer stuff by "creating" and "restoring" the backup (this is new in Knot DNS 3.0) 2) copy only PEM files with private keys and call `keymgr import-pem` to import them 3) copy the KASP DB as whole directory In any case, please read the relevant part of documentation carefully, since what I wrote are just hints. Please be extremely careful as this is near the edge of what's possible with DNS ;) You are encouraged to try it all first in some safe "playground" environment, before deploying it on critical zones. Let me be curious as well: how does your existing setup work, and what tools does it use? BR, Libor Dne 21.11.20 v 17:40 Nils Trampel napsal(a):