7 Pro
2018
7 Pro
'18
13:21
Hi Ondřej,
thanks for your reply. The signer is indeed running Knot
2.7.3-1~cz.nic~stretch1 and SOA TTL is one day.
I just upgraded to 2.7.4-1~cz.nic~stretch1.
I also got an email from Libor who suggested to set the propagation
delay to twice the refresh value. I choosed "propagation-delay: 1d", to
make sure the zone has been propagated to all slaves.
Best regards,
Volker
Am 2018-12-07 12:49, schrieb Ondřej Caletka:
Dne 07. 12. 18 v 11:50 Volker Janzen napsal(a):
When looking at the ZSK rollover timing, I notice
that after two hours
Knot stopped signing with the old ZSK. Does this make sense?
Hello Volker,
what version of Knot DNS are you using? My guess is that you are
hitting
this issue, which has been resolved in 2.7.4:
https://gitlab.labs.nic.cz/knot/knot-dns/issues/624
In short, if you don't set dnskey-ttl explicitly in the policy, for the
purpose of rollover timing, it was wrongly assumed to be zero.
Therefore, the only timing considered is the propagation delay, which
is
by default 1 hour. That means if your SOA TTL is more than 1 hour, you
will hit this bug.
--
Best regards
Ondřej Caletka