Re: [knot-dns-users] Dynamic update for dnskey

On 16 Feb 2021, at 18:49, libor.peltan <libor.peltan(a)nic.cz> wrote: Hi Ulrich, thank you for reporting your difficulties. Well, DDNS provides an ability to modify zone records, but not signing keys. Even if the update of DNSKEY record wasn't prohibited through DDNS, it won't help you much, because the DNSKEY RRset is in full control of signing routines. Knot indeed doesn't "like" DDNS of even RRSIG and NSEC records, etc. My recommendations will differ depending on what you are actually trying to achieve. If you want to add another ZSK that will be used for signing, you need to import it into the KASP db, with its public and private part and appropriate metadata (mostly timers). If you want to add a ZSK, that will reside in the DNSKEY RRset, but not used for signing the zone, you need to import it as "public only", with its public part and metadata. Both can be done with the keymgr utility and its `import-bind`, `import-pub`, `import-pem` functions. See https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#document-man_keymgr Either way, the DNSKEY RRset in the zone will be updated as part of following signing process. I hope this helps you, Libor Dne 16. 02. 21 v 18:25 Ulrich Wisser napsal(a): > Hi! > > Today we tried to do a dynamic update to the dnskey set. > > What we want to do is to import the ZSK from another signer. > > Didn’t work so well. > > Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update DNSSEC-related record > > I guess knot doesn’t like dynamic DNSSEC updates. > I even tried with policy manual:on. > > What does one have to do to be allowed to add (or delete) DNSKEY records? > > /Ulrich >