14 Kvě
2024
14 Kvě
'24
17:45
Hi Daniel
Thanks, indeed. I had a suspicion something in the default template was in the way. Too
bad now all other zones have to have two lines of definitions rather than just one :-)
I was also confused that knot doesn’t publish CDS records for zones, that are not in the
process of rolling a key, but after picking the right zone, it turns out everything works
as intended:
dig @ns3b.droso.dk cds
_dsboot.lansing.cl._signal.ns3b.droso.dk +dnssec +short
37743 13 2
FF4EF91DD6471FF6207FFD30A512C9573200A53D7163B67DF9F31F75 459142AB
CDS 13 7 0 20240528154030 20240514141030 32886 _signal.ns3b.droso.dk.
1rN4np8mrXkvFU+Ikcs7DEzNgE7eFc/Ml8wSPrnEvY51VaLCFMC9h7gx c2zFu79kWufy5MbykQ7P0XyFXCSu2A==
Thanks again and great new feature! Hopefully more registries and registrars will add
it.
Best
Erwin
On 14 May 2024, at 08.05, Daniel Salzman
<daniel.salzman(a)nic.cz> wrote:
Hi Erwin,
The module generates responses online, so you must use online DNSSEC signing, which is
incompatible with
the pre-signing functionality.
You need to remove dnssec-signing (and dnssec-policy) from the default template. Also
note that mod-onlinesign
ignores NSEC3 setting (remove nsec3 from the policy).
Daniel
On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote:
> Howdy,
> I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the
blog article and docs. However, I’m getting an error for the signalling zones, but I fail
to figure out what I may have overlooked.
> error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module
'mod-onlinesign/authsignal', incompatible with automatic signing
> Relevant knot.conf snippets (in order):
> policy:
> - id: ecc
> algorithm: ecdsap256sha256
> nsec3: on
> rrsig-refresh: 7d
> mod-onlinesign:
> - id: authsignal
> nsec-bitmap: [CDS, CDNSKEY]
> policy: ecc
> template:
> - id: default
> …
> dnssec-signing: on
> dnssec-policy: ecc
> …
> zone:
> - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
> module: [mod-authsignal, mod-onlinesign/authsignal]
> Any hint appreciated
> Best
> Erwin
> --