New subject: Question on ZSK rollover

7 Pro 2018

Hi all,
one of my zones made a ZSK rollover yesterday. I had an some recursive
resolvers validation errors at different times. This is the log output
from knot of the rollover:
Dec  6 17:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, ZSK rollover
started
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800,
algorithm RSASHA256, KSK, public, ready, active
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820,
algorithm RSASHA256, public
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188,
algorithm RSASHA256, public, active
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully
signed
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at
2018-12-06T18:16:49
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] zone file updated,
serial 1543943808 -> 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] notify, outgoing,
10.10.10.10@53: serial 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@45727: started, serial 1543943808 -> 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@45727: finished, 0.00 seconds, 1 messages, 1329 bytes
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800,
algorithm RSASHA256, KSK, public, ready, active
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188,
algorithm RSASHA256, public
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820,
algorithm RSASHA256, public, active
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully
signed
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at
2018-12-06T19:16:49
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] zone file updated,
serial 1544113009 -> 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] notify, outgoing,
10.10.10.10@53: serial 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@53131: started, serial 1544113009 -> 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@53131: finished, 0.00 seconds, 1 messages, 43889 bytes
Dec  6 18:16:50 a knotd[9924]: info: [voja.de.] AXFR, outgoing,
10.10.10.10@59417: started, serial 1544116609
Dec  6 18:16:50 a knotd[9924]: info: [voja.de.] AXFR, outgoing,
10.10.10.10@59417: finished, 0.00 seconds, 1 messages, 28054 bytes
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800,
algorithm RSASHA256, KSK, public, ready, active
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820,
algorithm RSASHA256, public, active
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully
signed
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at
2018-12-07T15:16:48
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] zone file updated,
serial 1544116609 -> 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] notify, outgoing,
10.10.10.10@53: serial 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@55161: started, serial 1544116609 -> 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing,
10.10.10.10@55161: finished, 0.00 seconds, 1 messages, 1329 bytes
10.10.10.10 is the (anonymized) IP of the distribution server, which is
a Bind server. The actual authorative nameservers get the zone from Bind
with IFXR or AXFR. AXFR is used for distribution to a anycast nameserver
pair.
When looking at the ZSK rollover timing, I notice that after two hours
Knot stopped signing with the old ZSK. Does this make sense? The last
event before the rollover has been this resining:
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800,
algorithm RSASHA256, KSK, public, ready, active
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188,
algorithm RSASHA256, public, active
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, successfully
signed
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at
2018-12-06T17:16:48
Is it possible that this is an issue with a propagation-delay that is
too low (default value applies).
Regards
    Volker

Question on KSK rollover