Right now I have two zone types for my knot test setup, one where knot
is doing DNSSEC signing as a slave (AXFR in -> sign -> AXFR out) and
one where the knot is the master for the zone and zone data is coming
out of a git repository and gets signed.
Reading older threads on this ML and browsing the configuration has
led me to the following configuration and I wanted to make sure this
is actually supported or if there is a best practice that is
different.
1) Inline DNSSEC signing for slave zone.
zone:
- domain:
example.com
serial-policy: unixtime
storage: "/var/lib/knot/slave"
file: "%s.zone"
zonefile-load: difference
dnssec-signing: on
dnssec-policy: rsa-de
master: ns1_signer
notify: ns1
acl: acl_ns1
policy:
- id: rsa-de
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
ksk-submission: tld_de
This seems to work fine, zone gets transferred from master (with low
serial), signed and with a new unixtime serial transferred out again.
I'm not sure if "zonefile-load: difference " makes any difference for
a slave zone but without it I get warnings about possibly malformed
IXFRs...
2) Inline DNSSEC for master zone from git:
zone:
- domain: dnssec-test.intern
serial-policy: unixtime
storage: "/var/lib/knot/master"
file: "%s.zone"
zonefile-sync: -1
dnssec-signing: on
dnssec-policy: rsa
acl: acl_ns1
zonefile-load: difference-no-serial
policy:
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
This also works but I get warnings like this:
[dnssec-test.intern.] journal, discontinuity in changes history (1540307365 -> 28),
dropping older changesets
Is this expected? Also I read in older threads that this might fill
up the journal. Is that still the case?
Best Regards
Sebastian
--
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
SCYTHE.
-- Terry Pratchett, The Fifth Elephant