Re: [knot-dns-users] Zone sign at knotd reload

Hi, See the relevant parts of the config and also the log below. There were no updates to the zone, I have flushed journal to file, performed zone-status command followed by knotc reload. Then I can see that zone is re-signed an zone transfer follows (KNOT is a hidden master), Configuration (just rozjezdy.cz choosen as an example): policy: - id: tmcz-default algorithm: ecdsap256sha256 zsk-lifetime: 30d ksk-lifetime: 90d nsec3: on nsec3-salt-length: 16 cds-cdnskey-publish: always propagation-delay: 1d ksk-submission: nic.cz template: - id: signed storage: "/var/lib/knot/signed" file: "db.%s" serial-policy: unixtime disable-any: on semantic-checks: on module: mod-rrl/rrl-10 module: mod-stats/custom notify: idunn-freya acl: [allowed_transfer] dnssec-policy: tmcz-default dnssec-signing: on zone: - domain: rozjezdy.cz template: signed root@idunn:/etc/knot# knotc zone-status rozjezdy.cz [rozjezdy.cz.] role: master | serial: 1513089643 | transaction: none | freeze: no | refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal flush: not scheduled | notify: not scheduled | DNSSEC re-sign: +6D17h31m18s | NSEC3 resalt: +22D22h35m50s | parent DS query: not scheduled root@idunn:/etc/knot# root@idunn:~# journalctl -u knot -f | grep rozjezdy Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-status' Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-flush' Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm ECDSAP256SHA256, KSK, public, active Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at 2017-12-19T10:34:52 Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial 1513089643 -> 1513094831 Dec 12 17:07:12 idunn knotd[4604]: info: [rozjezdy.cz.] notify, outgoing, 93.153.117.50@53: serial 1513094831 Dec 12 17:07:13 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@40241: started, serial 1513089643 -> 1513094831 Dec 12 17:07:13 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.50@40241: finished, 0.00 seconds, 1 messages, 705 bytes Dec 12 17:07:14 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@40111: started, serial 1513089643 -> 1513094831 Dec 12 17:07:14 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR, outgoing, 93.153.117.20@40111: finished, 0.00 seconds, 1 messages, 705 bytes root@idunn:/etc/knot# knotc zone-status rozjezdy.cz [rozjezdy.cz.] role: master | serial: 1513094831 | transaction: none | freeze: no | refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal flush: not scheduled | notify: not scheduled | DNSSEC re-sign: +6D17h27m3s | NSEC3 resalt: +22D22h31m35s | parent DS query: not scheduled root@idunn:/etc/knot# I have not checked it in a detail nevertheless is seems that all zones are re-signed: Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-status' Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command 'zone-flush' Dec 12 17:07:01 idunn knotd[4604]: info: control, received command 'reload' Dec 12 17:07:01 idunn knotd[4604]: info: reloading configuration file '/etc/knot/knot.conf' Dec 12 17:07:08 idunn knotd[4604]: info: configuration reloaded Dec 12 17:07:08 idunn knotd[4604]: info: [test.net.] DNSSEC, signing zone Dec 12 17:07:08 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, signing zone Dec 12 17:07:09 idunn knotd[4604]: info: [test.net.] DNSSEC, key, tag 31290, algorithm ECDSAP256SHA256, KSK, public, ready, active Dec 12 17:07:09 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, key, tag 50849, algorithm ECDSAP256SHA256, KSK, public, active Dec 12 17:07:09 idunn knotd[4604]: info: [test.net.] DNSSEC, key, tag 51884, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:09 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, key, tag 40637, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, signing started Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, zone is up-to-date Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, next signing at 2017-12-14T13:22:15 Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, signing zone Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, key, tag 53237, algorithm ECDSAP256SHA256, KSK, public, active Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, key, tag 36052, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, signing started Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, zone is up-to-date Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, next signing at 2017-12-15T14:01:52 Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, signing zone Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, key, tag 11563, algorithm ECDSAP256SHA256, KSK, public, active Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, key, tag 39847, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, signing started Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, zone is up-to-date Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, next signing at 2017-12-15T08:26:15 Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, signing zone Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, key, tag 30976, algorithm ECDSAP256SHA256, KSK, public, ready, active Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, key, tag 26699, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, signing started Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, signing started Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, successfully signed Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, zone is up-to-date Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, next signing at 2017-12-19T16:39:13 Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, signing zone Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, key, tag 26662, algorithm ECDSAP256SHA256, KSK, public, ready, active Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, key, tag 38793, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, signing started Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, zone is up-to-date Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, next signing at 2017-12-19T16:39:13 Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, signing zone Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, key, tag 1752, algorithm ECDSAP256SHA256, KSK, public, ready, active Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, key, tag 30878, algorithm ECDSAP256SHA256, public, active Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, next signing at 2017-12-13T09:52:40 Dec 12 17:07:11 idunn knotd[4604]: info: [tmusic.cz.] DNSSEC, signing zone Regards Ales On úterý 12. prosince 2017 15:27:22 CET Daniel Salzman wrote: