3 Říj
2017
3 Říj
'17
9:21
Hello André,
If the automatic signing is enabled, Knot should remove all unknown or expired RRSIGs
automatically
during re-signing. So it is very suspicious.
What the server prints to the log upon `knotc zone-sign ...`? Could you please send me the
whole server log?
Thanks,
Daniel
On 10/03/2017 08:52 AM, André Keller wrote:
Hi Ondřej,
On 03.10.2017 04:54, Ondřej Surý wrote:
André, how do you sign the zone? Is Knot DNS
master or slave in your
configuration? Generally, the DNS server is agnostic to the contents
of the zone - whatever is there gets served.
Knot (2.5.4) is master and does the dnssec-signing. From the configuration:
policy:
- id: default_ecdsa
algorithm: ecdsap256sha256
template:
- id: master_dnssec
dnssec-policy: default_ecdsa
dnssec-signing: on
serial-policy: unixtime
file: /var/lib/knot/zones/%s.zone
The zone file in /var/lib/knot/zones does not contain any DNSSEC related
information, this is all added by knot. If I do a:
keymgr example.net list
I do not have a key for the outdated signature anymore. I'm happy to
provide the domain name and full configuration off-list if that helps.
Regards
André
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users