16 Pro
2021
16 Pro
'21
18:00
On 2021-12-16 03:25, libor.peltan wrote:
Hi Chris,
thank you for using Knot DNS, as well as for migrating to some better DNSSEC
algorithm :)
Despite an algorithm rollover can be performed very easily with Knot DNS,
it's not
an easy process by itself and it's needed to first understand it in general.
Algorithm rollover has several steps and there are necessary delays between
them,
so it will probably take much more than an hour.
When you try for the first time, I would recommend to start with much
simpler ZSK
rollover, than KSK rollover, and once you get familiar, you'll be able to
handle
algorithm rollovers easily.
It's not recommended to modify your keys manually with keymgr while
automatic key
management is doing things. And `del-all-old` feature is only intended for
special
Offline KSK setup.
It might also surprise you that reverting the configuration does not always
lead
to reverting the state. For example, if you trigger an algorithm rollover by
changing the configuration, the process will start, and if you revert the
configuration at that stage, I'm not sure what will happen, but probably not
a
flawless return to the original algorithm.
Thank you very kindly for your
informative reply, Libor. :-)
FWIW I've switched to knot some 2 years ago. I was able to import all my bind
keys w/o problem -- thanks for the great docs. :-)
Since then I have added some 160 additional domains. Knot performed well w/o
incident.
It was enough to add an unsigned zone file and declare:
dnssec-signing: on
dnssec-policy: <the policy>
and it just worked. :-)
It appears that what I *should* have done; is simply changed (after defining)
the
dnssec-policy: and *assume* knot would know what I meant and DTRT. But I errd
on
the side of caution, and failed at testing what would/should happen.
A final hint: use https://dnsviz.net/ to check your zone state.
Funny you should
say...
I do use that link as well as others to attempt to obtain an "objective" view
of the overall "health" of some of my zones. In fact it was a trip to:
https://www.zonemaster.net that set this whole "adventure" off for me.
It complained about the 1024b size of my ZSK key(s). Which reminded me that
I had started out conservatively to ensure the broadest compatibility. But
that
that was probably too conservative for this day-and-age. :-) I also find:
https://dnssec-debugger.verisignlabs.com
a nice utility.
Thank you again, Libor. For the thoughtful reply. :-)
-- Chris
Libor