Hi Oliver,
by default, all changes to the zone, including DNSSEC signing, are
immediately flushed into zonefile. Thus, if you simply set
dnssec-signing to off, Knot stops signing the zone, but the signatures
from before remain in the zone. You can then remove them from the
zonefile (using a text editor - delete lines with "DNSKEY", "CDS",
"CDSNKEY", "RRSIG" and "NSEC") and reload the zone
(stop-start server or
knotc zone-reload...).
If you already have a DS record in the parent zone, it's needed to tell
them to remove it, *before* you turn off signing. The canonical way to
do it is publishing the delete-CDS/CDNSKEY record by turning
cds-cdnskey-publish to delete-dnssec, and wait until the parent zone
notices and reacts.
You choose propagation-delay arbitrarily, but remember to keep it at
safe value for common resolvers.
BR,
Libor
Dne 17.10.18 v 13:43 Oliver Peter napsal(a):
Hi,
I am experimenting with latest knot and its wonderful dnssec autosigner
functionality. It works pretty nice but I am a bit lost in the unsign
process, my zone looks basically like this:
zone:
- domain: "domain.tld."
storage: "/home/oliver/knot/zones"
file: "sign.local"
zonefile-load: "difference"
dnssec-signing: "on"
dnssec-policy: "dnssec-policy"
serial-policy: "unixtime"
policy:
- id: "dnssec-policy"
zsk-lifetime: "2592000"
ksk-lifetime: "31536000"
propagation-delay: "0"
nsec3: "off"
ksk-submission: "local"
cds-cdnskey-publish: "always"
What is the safe way to turn off dnssec once the DS has been seen by
the resolver/knot?
I tried to do dnssec-signing: "off" but that did not change anything;
I also created a second policy called "unsign-policy" where I switched
cds-cdnskey-publish to "cds-cdnskey-publish".
I expected the CDNSKEY/CDS immediately turn into "0 3 0 AA==" and so on
since my propagation-delay is 0 (for faster test results...)
Thanks for any hints!