Hello,
I have DNSSEC in knot-dns activated. It always signs
my file and it is very difficult to change my zone file with the dnssec stuff inside. Is
it possible, to keep the zone file clean and it creates a .signed file for dnssec?
at the moment, there is no sane solution for this problem.
Knot DNS (since 1.5.0, I think) flushes DNSSEC related separately from
the non-DNSSEC records. All is written into the same master file, but
first the non-DNSSEC records and then the DNSSEC records. If you do not
mind loosing custom master file formating and comments, you can set
`zonefile-sync` to zero, which will flush the zone immediately after it
has been signing.
Another possibility is to set `zonefile-sync` to very high value (10
years or something). In this case, your zone file won't be updated
unless you run 'knotc flush'. The DNSSEC changes will be kept in the
zone journal only. This will work, but the whole zone will be resigned
after every update. In addition, you will have to be super-careful about
updating SOA serial and during DNSSEC key rotation.
We want to implement a better solution for this problem, but it is not a
priority right now.
Best regards,
Jan