> dig @ns3b.droso.dk cds _dsboot.lansing.cl._signal.ns3b.droso.dk +dnssec +short

37743 13 2 FF4EF91DD6471FF6207FFD30A512C9573200A53D7163B67DF9F31F75 459142AB

CDS 13 7 0 20240528154030 20240514141030 32886 _signal.ns3b.droso.dk. 1rN4np8mrXkvFU+Ikcs7DEzNgE7eFc/Ml8wSPrnEvY51VaLCFMC9h7gx c2zFu79kWufy5MbykQ7P0XyFXCSu2A==

On 14 May 2024, at 08.05, Daniel Salzman <daniel.salzman@nic.cz> wrote:

Hi Erwin,

The module generates responses online, so you must use online DNSSEC signing, which is incompatible with
the pre-signing functionality.

You need to remove dnssec-signing (and dnssec-policy) from the default template. Also note that mod-onlinesign
ignores NSEC3 setting (remove nsec3 from the policy).

Daniel

On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote:

Howdy,
I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog article and docs.  However, I’m getting an error for the signalling zones, but I fail to figure out what I may have overlooked.
error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module 'mod-onlinesign/authsignal', incompatible with automatic signing
Relevant knot.conf snippets (in order):
policy:
  - id: ecc
    algorithm: ecdsap256sha256
    nsec3: on
    rrsig-refresh: 7d
mod-onlinesign:
 - id: authsignal
   nsec-bitmap: [CDS, CDNSKEY]
   policy: ecc
template:
  - id: default
…
    dnssec-signing: on
    dnssec-policy: ecc
…
zone:
  - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
    module: [mod-authsignal, mod-onlinesign/authsignal]
Any hint appreciated
Best
Erwin
--