3 Říj
2017
3 Říj
'17
8:52
Hi Ondřej,
On 03.10.2017 04:54, Ondřej Surý wrote:
André, how do you sign the zone? Is Knot DNS master or slave in your
configuration? Generally, the DNS server is agnostic to the contents
of the zone - whatever is there gets served.
Knot (2.5.4) is master and does the dnssec-signing. From the configuration:
policy:
- id: default_ecdsa
algorithm: ecdsap256sha256
template:
- id: master_dnssec
dnssec-policy: default_ecdsa
dnssec-signing: on
serial-policy: unixtime
file: /var/lib/knot/zones/%s.zone
The zone file in /var/lib/knot/zones does not contain any DNSSEC related
information, this is all added by knot. If I do a:
keymgr example.net list
I do not have a key for the outdated signature anymore. I'm happy to
provide the domain name and full configuration off-list if that helps.
Regards
André