Dear Volker,
it is true that the method for creating a CSK is not explicitly
mentioned in the documentation, we shall fix that. You can
create a CSK using our keymgr utility by specifying both
'ksk=yes' and 'zsk=yes' parameters of the 'generate' command.
E.g.
$ keymgr -c /path/to/knot.conf example.com. generate ksk=yes zsk=yes remove=+1y
creates an immediately active CSK with a 1 year lifetime. You
can check out all possible timestamp settings in the docs.
Please note that the geoip module is currently not very well integrated into Knot's DNSSEC workflow. For instance, the only way to refresh RRSIGs precomputed by the module is to reload it (knotc zone-reload). One approach for now could be to create a CSK with a strong algorithm (e.g. the default ECDSAP256SHA256) and a long lifetime, e.g. 1 year, and to set the same lifetime for the RRSIGs. The policy configuration could look like this:
policy:
- id: manual
manual: on
algorithm: ECDSAP256SHA256
rrsig-lifetime: 365d
zone:
- domain: example.com.
dnssec-signing: on
dnssec-policy: manual
Then you would only have to perform a manual key rollover while reloading the zone so that the module computes the new signatures. We will update the documentation to include this information. In addition, you can sync the key from one server to others by copying the KASP lmdb database e.g. using the mdb_dump and mdb_load tools. If you have any further questions, let us know!
Best regards,
Mark
On 19.10.2018 10:13, Volker Janzen wrote:
Hi all,
I'd like to test the geoip module with a signed zone. The documentation recommends using manual mode for signing. As far as I know, the geoip information is not transferred via AXFR. That would mean, that I've to transfer the signing key to the secondary servers along with the geoip (and zone) configuration. To reduce caveats with ZSKs, I'd like to use CSK. As a result I just need to sync one key per zone to secondary servers. I checked the Knot documentation on how to use a CSK for a zone, but the CSK is only mentioned twice in the documentation with no example on how to actually use it. Can someone point me to a configuration example for setting up a CSK?
Kind regards,
Volker