Re: [knot-dns-users] Dynamic update for dnskey

Hi Ulrich, thank you for reporting your difficulties. Well, DDNS provides an ability to modify zone records, but not signing keys. Even if the update of DNSKEY record wasn't prohibited through DDNS, it won't help you much, because the DNSKEY RRset is in full control of signing routines. Knot indeed doesn't "like" DDNS of even RRSIG and NSEC records, etc. My recommendations will differ depending on what you are actually trying to achieve. If you want to add another ZSK that will be used for signing, you need to import it into the KASP db, with its public and private part and appropriate metadata (mostly timers). If you want to add a ZSK, that will reside in the DNSKEY RRset, but not used for signing the zone, you need to import it as "public only", with its public part and metadata. Both can be done with the keymgr utility and its `import-bind`, `import-pub`, `import-pem` functions. See https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#document-man_keymgr Either way, the DNSKEY RRset in the zone will be updated as part of following signing process. I hope this helps you, Libor Dne 16. 02. 21 v 18:25 Ulrich Wisser napsal(a):