[knot-dns-users] Question on DNSSEC

Hi all, I'm currently looking for alternatives which do automatic DNSSEC signing as a master DNS server. I run a Knot secondary instance and added a manual and auto signing zone, because I want to understand the differences and which is better for my needs. I added this to my knot.conf policy: - id: rsa algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 - id: manual manual: on zone: - domain: "auto.test." file: "/etc/knot/master/auto.test.zone" dnssec-signing: on dnssec-policy: default - domain: "manual.test." file: "/etc/knot/master/manual.test.zone" dnssec-signing: on dnssec-policy: manual I'm not sure about how some things work, perhaps someone can answer my questions. When auto signing is used, the ZSKs are rolled automated? And the KSK rollover is not possible at all? Even not manual? For manual mode, I followed these steps to generate the keys: $ keymgr zone key generate manual.test algorithm RSASHA256 size 1024 $ keymgr zone key generate manual.test algorithm ECDSAP256SHA256 size 256 This results in dig @localhost DNSKEY manual.test +short 256 3 8 AwEAAbGES3TH8jPCIhcdc93dbDNoUkDn5YmviG2/lkCESDcIvzpRFjsC ATAZEIEo1LosM6cALS8AVkxKK/BSOpuvLHvhX7O+ny7eX5X/C2PHnGs+ WMieIhbjLJWdIsNCMhSqQ7vTlguFmHbUdyzV+8dnrMl1GSpdSc1P0Fyp vjxDM5+H 256 3 13 H+qtCYv9A0RlqQCOtDyGGEMhVgn92wPdZ+WrqRAqb/MJ3RzdDSyhaX2p B/TU5F8mQccrVIdiJriT+zmWpoW9sA== I don't understand why there is no DNSKEY with SEP set. Shouldn't it be there? Regards, Volker