[knot-dns-users] When knot delete old ksk key ?

Hi, thank you for contacting us with your issues with Knot DNS. However, you have hit wrong channel: knot-resolver-users mailing-list is intended for users of Knot Resolver. I'm sending this reply already to proper channel. You correctly pointed out that Knot did not delete old key after the delete-delay period. This seems to be an effect of an actually intentional, but perhaps tricky feature: Knot postpones this (relatively unnecessary) key deletion until next signing process. The point is, that initializing the whole "signing machinery" just in order to purge a deleted (marked as such) key might be an overkill (mostly on configurations with many many zones). You can see the next planned singing event when calling `knotc zone-status` or when inspecting the logfile for logs of the previous signing event. Please let me know if the deleted key disappears once the zone is re-signed. I guess it might take up to a week, since this long it takes between RRSIGs re-creation according to your configuration. If you need to delete the key immediately, you can use keymgr utility, or it might be also done with `knotc zone-keys-load` (basically triggering the zone signing process out of schedule). Thank you, Libor