18 Říj
2018
18 Říj
'18
13:04
Hi Oliver,
Ah, the mistake was that changing the dnssec-policy
*and* dnssec-signing
in one go does not insert the delete-CDS/CDNSKEY records since knot
immediately stops all dnssec related actions. Thanks!
You at least want to have
the special CDNSKEY record -signed- anyway ;)
Am I right that, unlike the signing process (KSK
submission attempts),
there is no built-in functionality in knot, that takes care about the
right time to remove the key material from the zone?
Yes. We didn't care much for this usecase, sorry. I guess it's not so
difficult to achieve this manually. We need to have automated just those
processes, that start automatically (e.g. KSK rollover).
So, basically I should wait
[propagation-delay] + [max TTL seen in zone/knot_soa_minimum]
seconds until I manually remove the material.
No, you first need to check when your
parent zone removed the DS record.
Afterwards wait for its TTL + propagation_delay.
BR,
Libor
2152
days inactive
2152
days old
0 comments
1 participants
participants (1)
-
libor.peltan