Re: [knot-dns-users] expiring/renewing dnssec keys

On 19/08/2021 11:43, mj wrote: Hi MJ, [snip] Correct. When the KSK is rolled, you need to send the new DS records to the parent zone admins. KSKs do not "expire". When the time comes to roll the KSK, Knot will do that, and then log this. You can monitor the log file to see when this happens, and then submit the new DS record to the parent zone. Once the parent zone has the new DS record, and you have waited a reasonable amount of time for the DS record to propagate, you can inform Knot of the submission with "knotc zone-ksk-submitted <zone1> <zone2> ...". After this Knot will withdraw the old key and signatures. Alternatively, you can configure Knot with the name servers of the parent zone, or a validating resolver, and it will keep checking for the new DS record by itself. When it detects the new DS record, it will complete the roll-over by itself. Look at the config section called "submission". There is no need to roll the KSK periodically. If you feel that your key is safe, and the cryptographic algorithm is strong enough, then you can set "ksk-lifetime" to 0, and Knot will never do a KSK roll-over by itself. Then, you can perform the KSK roll-over manually if/when you need to. Regards, Anand