28 Srp
2023
28 Srp
'23
16:44
Le lundi 28 août 2023 à 15:56 +0200, libor.peltan a écrit :
Hi Bastien,
in your configuration, you have dnssec-signing and mod-onlinesign
configured for the same zone. This is probably a mistake.
You should have your zone either signed normally (during load, reload
update etc), or online (during answering each query). Otherwise it
might
lead to a mess. I can't even foresee the mess as we haven't even
tried it.
Since you are using mod-synthrecord, you probably should stick to
just
mod-onlinesign. However, a new feature
https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#reverse-generate
is an alternative to mod-synthrecord for reverse zones, and that one
is
compatible with normal signing. You might consider migrating to it.
I guess that the error comes from a newly added sanity check, which
was
considered a tiny change and therefore not mentioned in the
changelog.
Thanks for the quick answer :)
You're right, the dnssec zone options can be removed ; I must have
copied the zone stanza from another one (with no synthrecord/onlinesig)
Thanks for the reverse-generate suggestion, but I will stick to
synthrecord as machines with privacy extensions lies in this address
space ;)
Regards,
--
Bastien