Re: [knot-dns-users] Zone sign at knotd reload

Hi Daniel, I have tried: - domain: rozjezdy.cz template: signed zonefile-load: difference Zone status before config reloads: root@idunn:/etc/knot# knotc zone-status rozjezdy.cz [rozjezdy.cz.] role: master | serial: 1513694442 | transaction: none | freeze: no | refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal flush: not scheduled | notify: not scheduled | DNSSEC re-sign: +6D15h11m9s | NSEC3 resalt: +15D20h15m41s | parent DS query: not scheduled Nevertheless it does not seem to have any effect. The 1st reload below is without "zonefile-load: difference". root@idunn:~# journalctl -u knot -S "2017-12-19 19:20" -f | grep "rozjezdy\|reload" Dec 19 19:20:00 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-read' Dec 19 19:23:43 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-status' Dec 19 19:25:57 idunn knotd[4604]: info: control, received command 'reload' Dec 19 19:25:57 idunn knotd[4604]: info: reloading configuration file '/etc/knot/knot.conf' Dec 19 19:26:07 idunn knotd[4604]: info: configuration reloaded Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm ECDSAP256SHA256, KSK, public, active Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm ECDSAP256SHA256, public, active Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at 2017-12-26T10:34:52 Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial 1513694442 -> 1513707970 Dec 19 19:26:10 idunn knotd[4604]: info: [rozjezdy.cz.] notify, outgoing, 93.153.117.50@53: serial 1513707970 Dec 19 19:26:11 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@42577: started, serial 1513694442 -> 1513707970 Dec 19 19:26:11 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@42577: finished, 0.00 seconds, 1 messages, 705 bytes Dec 19 19:26:12 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@56615: started, serial 1513694442 -> 1513707970 Dec 19 19:26:12 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@56615: finished, 0.00 seconds, 1 messages, 705 bytes ===== 2nd reload ===== Dec 19 19:28:40 idunn knotd[4604]: info: control, received command 'reload' Dec 19 19:28:41 idunn knotd[4604]: info: reloading configuration file '/etc/knot/knot.conf' Dec 19 19:28:53 idunn knotd[4604]: info: configuration reloaded Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm ECDSAP256SHA256, KSK, public, active Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm ECDSAP256SHA256, public, active Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed Dec 19 19:28:56 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at 2017-12-26T10:34:52 Dec 19 19:28:57 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial 1513707970 -> 1513708136 Dec 19 19:28:58 idunn knotd[4604]: info: [rozjezdy.cz.] notify, outgoing, 93.153.117.50@53: serial 1513708136 Dec 19 19:28:58 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@37453: started, serial 1513707970 -> 1513708136 Dec 19 19:28:58 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@37453: finished, 0.00 seconds, 1 messages, 705 bytes Dec 19 19:29:00 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@47995: started, serial 1513707970 -> 1513708136 Dec 19 19:29:00 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@47995: finished, 0.00 seconds, 1 messages, 705 bytes ===== 3rd reload: ===== Dec 19 19:31:22 idunn knotd[4604]: info: control, received command 'reload' Dec 19 19:31:23 idunn knotd[4604]: info: reloading configuration file '/etc/knot/knot.conf' Dec 19 19:31:28 idunn knotd[4604]: info: configuration reloaded Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm ECDSAP256SHA256, KSK, public, active Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm ECDSAP256SHA256, public, active Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed Dec 19 19:31:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at 2017-12-26T10:34:52 Dec 19 19:31:32 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial 1513708136 -> 1513708291 Dec 19 19:31:32 idunn knotd[4604]: info: [rozjezdy.cz.] notify, outgoing, 93.153.117.50@53: serial 1513708291 Dec 19 19:31:34 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@58367: started, serial 1513708136 -> 1513708291 Dec 19 19:31:34 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@58367: finished, 0.00 seconds, 1 messages, 705 bytes Dec 19 19:31:35 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@32929: started, serial 1513708136 -> 1513708291 Dec 19 19:31:35 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@32929: finished, 0.00 seconds, 1 messages, 705 bytes IMHO there is no reason to reason for zone re-sign. Content of rozjezdy.cz: ;; Zone dump (Knot DNS 2.6.3) rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz. 1513708291 7200 600 1209600 3600 rozjezdy.cz. 3600 NS ns2.gts.cz. rozjezdy.cz. 3600 NS freya.t-mobile.cz. rozjezdy.cz. 3600 NS idunn.t-mobile.cz. rozjezdy.cz. 3600 MX 10 ms.glow.cz. rozjezdy.cz. 3600 TXT "v=spf1 +all" rozjezdy.cz. 3600 A 77.78.107.190 rozjezdy.cz. 3600 DNSKEY 256 3 13 vYmiA2bjCC2MFdb3rX/bq27KkptR9kAUoQzlpbgbhIOHfvK1RQPBqHN2caloQ/hVSdl1dDraGHMvUvHWd+ZK2w== rozjezdy.cz. 3600 DNSKEY 257 3 13 XMHN1TNq54o2afNNcgmJ7D7gioZ1QFSsCdFXFRJfQojlafd44fHHWihfM1OQ+jswgfo9OYgALfqPFR/XH0givw== rozjezdy.cz. 0 CDNSKEY 257 3 13 XMHN1TNq54o2afNNcgmJ7D7gioZ1QFSsCdFXFRJfQojlafd44fHHWihfM1OQ+jswgfo9OYgALfqPFR/XH0givw== rozjezdy.cz. 0 CDS 52375 13 2 484003681345128F0B8D208C6CB34FAB7A0BF6926F49B73251EAE53DE55CAB75 rozjezdy.cz. 0 NSEC3PARAM 1 0 10 - www.rozjezdy.cz. 3600 CNAME rozjezdy.cz. ;; DNSSEC signatures rozjezdy.cz. 3600 RRSIG A 13 2 3600 20180102093452 20171219080452 53957 rozjezdy.cz. Tp7dJqJb/TwT0ymaYpvUcR8xlDFqOOxmlVXbzBq/N2iIuzxdCJDFUnquasS3HchO7v1ebYLWNY28BtWIdCOCnA== rozjezdy.cz. 3600 RRSIG NS 13 2 3600 20180102093452 20171219080452 53957 rozjezdy.cz. NOZU3T1+GsKbPFnE9ApeZJ900P5SLLfCS6zkwZmQl625PWM4nmXLYP1mebbf7ywdf5+Llztv74mJU4MHbAWqtA== rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102183131 20171219170131 53957 rozjezdy.cz. KklZfsp8Ztzih04/Weedt1aP5Qa9oxsnj72KuGeeqI1szSvL/l6uGC6Rf6ZZJjrN/A/TQMcJzbkgwIMe6YetYA== rozjezdy.cz. 3600 RRSIG MX 13 2 3600 20180102093452 20171219080452 53957 rozjezdy.cz. rl4/0l7GM7aSGVGbEpjzCd8vu43+LaNTYiKlP7rBix6OdwZettSCLAKW0yF7y+rduvar0GBm22ZHVO5kMnSQsA== rozjezdy.cz. 3600 RRSIG TXT 13 2 3600 20180102093452 20171219080452 53957 rozjezdy.cz. kvISPLCm8YUqbBxIar0Ay3gS9DvZ5/LNgj+kB2kcsUVy8dj3MF+FrOjn5gQrj+8h8Vw1eT6hwqXPNAsVYH4ZVQ== rozjezdy.cz. 3600 RRSIG DNSKEY 13 2 3600 20180102132118 20171219115118 52375 rozjezdy.cz. Qqj3siwXg/sFdK8LCe5iUcy4COP9XbMvjGnUWxj7CdcqNhNnjM3KFIJb628bRsrgSv/P1XmxspCxaA9mi/UKNg== rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102183131 20171219170131 53957 rozjezdy.cz. FfE9FhQgr8NWCfKf9d1aA0I8h4cd7CCSRbp0Nkq+BXmLOpRMs862lRSWCNHPxRPqufQvjo34AlroRrTYpevwEg== rozjezdy.cz. 0 RRSIG CDS 13 2 0 20180102093452 20171219080452 53957 rozjezdy.cz. dvgtm8dVDrVNI47PVy1uFV8sRf11prgMjHVc6MQ7rYRQa0pr1bUHSQksW1n3JVBiTmfWTKjT/++8yEv8ZiCPzQ== rozjezdy.cz. 0 RRSIG CDNSKEY 13 2 0 20180102093452 20171219080452 53957 rozjezdy.cz. k9PfpKDCpOgOzt0+xe0SDke81et9ST3V86Nf9w0x7GWtVFRiZmJlOEevJtxGGNqFmrOXAYnIQuKL/+bMAnUxAw== www.rozjezdy.cz. 3600 RRSIG CNAME 13 3 3600 20180102093452 20171219080452 53957 rozjezdy.cz. 8pCV7fzDTrocVR3eVszHeaRpZDVaCIJKHlrrZSv/zvXG23mUfxNkr2fb1doVC7h3IYgxfQPzA/S+XnFLxUkpEw== ;; DNSSEC NSEC3 chain dqrampcd1k487r07t2gi35ah2r44ltgu.rozjezdy.cz. 3600 NSEC3 1 0 10 - FLVVS4U1UT4AG241269G9SRVDP08PUS3 CNAME RRSIG flvvs4u1ut4ag241269g9srvdp08pus3.rozjezdy.cz. 3600 NSEC3 1 0 10 - DQRAMPCD1K487R07T2GI35AH2R44LTGU A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY ;; DNSSEC NSEC3 signatures dqrampcd1k487r07t2gi35ah2r44ltgu.rozjezdy.cz. 3600 RRSIG NSEC3 13 3 3600 20180102144042 20171219131042 53957 rozjezdy.cz. wCX+HQ2NWTlnzAFhriJgk3WLBDOtVzLCTyaZbO+3NFEgh94vLQ8xpMO8wMxOSWdf1oqOtAPozmxNimVjXmGXKQ== flvvs4u1ut4ag241269g9srvdp08pus3.rozjezdy.cz. 3600 RRSIG NSEC3 13 3 3600 20180102144042 20171219131042 53957 rozjezdy.cz. rzrUuG2ABhWaUoEL6pjeBDhm8+1JcXTDno3ys6XqP72+R+jA50cfx2UJK0tRlcxwJpuOHhchnC/VxDz3Qh1KPg== ;; Written 27 records ;; Time 2017-12-19 19:31:32 CET Let me know if I can do something more here. Regards Ales On Monday 18 of December 2017 10:18:29 Daniel Salzman wrote: