16 Pro
2021
16 Pro
'21
9:40
On 2021-12-15 23:44, Daniel Salzman wrote:
(technically)
answered above. But no. I define the DNSSEC policy separately.
Give it an id, then use the id within each domain/zone block.
Thanks for the reply, Daniel. :-)
-- Chris
Hi Chris,
On 12/15/21 10:28 PM, Chris wrote:
I don't think so.
But I think I'm probably saying it incorrectly.
Somehow after creating an additional policy "template" that defines RSASHA256
and a 2048 ZSK size. A couple of zones added 8/2 algo/digest to the 5/2
also/digest.
Which suggests to me that those zones arbitrarily picked up the new rsa2 I
added.
Even though the zone template for all the zones only state rsa1.
I'm nopt quite sure what to make of it. So I'll just freeze the offending
zones
and purge the history on them and recreate/sign them. I had intended to
convert them
all to the new RSASHA256 (rsa2) profile template anyway. Just hadn't intended
to do
it in the manner. ;-)
On 2021-12-15 13:01, Anand Buddhdev wrote:
One zone cannot use more DNSSEC policies! I think you are confused by
ongoing algorithm
rollover when there are both algorithms present in the zone (see
https://datatracker.ietf.org/doc/html/rfc6781#section-4.1.4). On 15/12/2021 20:18, Chris wrote:
Hi Chris,
[snip config details]
Thanks for the
reply, Anand! :-)
I'm well aware of all the complexities, and am well confident in knots
abilities
to DTRT. But "stuff" happens. fe; after creating the additional policy
some of the zones are _also_ adopting that new policy as _well_ as the
original
policy. IOW there are some zones with both RSASHA1 _and_ RSASHA256 hashes
in them. How would I best make this change? Is it enough
to simply change
algorithm:
and knot will just do the right thing?
Yes, please! Just change the algorithm and let Knot do its thing. It will
do the
right thing. Please do *not* fiddle with things manually. DNSSEC is
complex, and
algorithm roll-overs require care. The developers of Knot have put in a
lot of
care into handling algorithm roll-overs. Trust their expertise.
config (diffs):
policy:
- id: rsa1
algorithm: RSASHA1
zsk-size: 1024
policy:
- id: rsa2
algorithm: RSASHA256
zsk-size: 2048
ALL zones but the test zone mentioned earlier:
- domain: domain.name
...
dnssec-signing: on
dnssec-policy: rsa1
So why do (some) zones arbitrarily pick up the added policy when it
it is not the policy declared within the domain block?
Isn't it possible that the policy is declared in a zone template?
Daniel
> IOW dnssec-policy: rsa1 is the only dnssec-policy listed within all the
> domain blocks, and it's listed within all of the domain blocks, save
> the earlier test domain. So "stuff" happened. :-/
>
> Thanks again, for taking the time to respond, Anand.
>
> -- Chris
>>
>> Regards,
>> Anand