Rick,
I understand your motivation, but I think this approach is a bit
fragile.
Also it would complicate the server design, which is already quite
complex.
You should use the dynamic configuration interface or try to adjust the
server
by yourself.
Daniel
On 2018-07-24 16:15, Rick van Rein wrote:
Hi,
I am trying to make DNSSEC signing orthogonal to zone data transport in
the DNSSEC signer solution for SURFnet. This translates directly to an
intuitive user interface, where domain owners can toggle DNSSEC on and
off with a flick of a switch.
Interestingly, keymgr can work orthogonally to zone data; keys can be
added and removed, regardless of whether a zone has been setup in Knot
DNS.
Where the orthogonality is broken, is that I need to explicitly set
dnssec-signing: to on or off. This means that I need to create a zone,
just to be able to tell Knot DNS about the keys. Of course there are
complaints when configuring Knot DNS without a zone data file present.
The most elegant approach would be to setup dnssec-signing as
opportunistic option, meaning "precisely then when there are keys
available in the keymgr for this zone". Such a setting could then end
up in the policy for any such zone, and that can be done when the zone
data is first sent, without regards of what we try to make an
orthogonal
dimension.
I have no idea if this is difficult to make. I do think it may be a
use
case that wasn't considered before, which is why I'm posting it here.
If this is easy and doable, please let me know; otherwise I will have
to
work around Knot DNS (ignoring errors, overruling previously set
content
just to be sure it is set, and so on) to achieve the desired
orthogonality.
Cheers,
-Rick