Re: [knot-dns-users] DNSSEC re-sign failed (invalid parameter)

Hi Thomas, I don't think that simple backup using rsync is safe. In general, Knot DNS manages up to 4 LMDB databases (confdb, journal, timers, and kaspdb). You should backup these databases using proper commands. See https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#export-import-kasp-db Probably you don't have to backup journal and timers. Daniel On 2019-03-20 13:48, Thomas E. wrote: > Hi! > > We've been experimenting with backups and disaster recovery in our > knot test setup and have been running into a weird issue. > > Basically our backup strategy right now is to perform incremental > backups of the /var/lib/knot and the /etc/knot directories via rsync. > > When we try to restore these backups knot starts successfully, but > logs the following messages for each of the zones that are currently > in a signed template: > > 2019-03-08T11:43:05 info: [example.com.] DNSSEC, signing zone > 2019-03-08T11:43:05 error: [example.com.] zone event 'DNSSEC re-sign' > failed (invalid parameter) > > When we try to query information about these zones via dig we receive > a SERVFAIL rcode for them. > > All of the zones that are not processed through the DNSSEC mechanism > are unaffected by this. > > We also experienced th same behavior, when we were experimenting with > adding new zones that are signed immediately. > > To workaround this problem we currently add the zone in an unsigned > state (aka default template) to knot and after that we switch the > template of the zone to "signed". > > This works like a charm for new zones and can also be used to recover > each of the broken zones after restoring the backup, but we'd rather > not use this workaround during disaster recovery as it would impose > the danger of breaking the zones if it is not performed correctly. > > The templates and policies in our knot.conf look like this right now: > > policy: >   - id: shared >     algorithm: RSASHA256 >     ksk-size: 2048 >     zsk-size: 1024 >     zsk-lifetime: 1d >     ksk-lifetime: 2d >     ksk-shared: true >     ksk-submission: resolver >     nsec3: true >     cds-cdnskey-publish: always > > template: >   - id: default >     storage: "/var/lib/knot" >     semantic-checks: on >     global-module: mod-stats >     master: primary >     notify: secondaries >     acl: [primary, secondaries] >     serial-policy: unixtime >     dnssec-signing: off > >   - id: signed >     dnssec-signing: on >     dnssec-policy: shared >     master: primary >     notify: secondaries >     acl: [primary, secondaries] >     serial-policy: unixtime > > zone: >   - domain: example.com >     template: signed > > > Thanks, > Thomas