14 Pro
2021
14 Pro
'21
11:57
Hi Anand,
You don't need to. You can import the ZSKs from the old signer into
Knot's key database, using the "import-pub" command to "keymgr".
Knot
will publish these alongside its own keys, and sign the DNSKEY RRset
with its own KSK.
After some trial and error, I finally got the keys imported into knot.
Apparently they have to have extension .key and I kept mixing up
import-bind and import-pub...
This is how we switched signers at RIPE NCC, and it
worked perfectly.
You can read more about it here:
https://labs.ripe.net/author/anandb/dnssec-signer-migration/
I've read that article many, many times :) It was one of the reasons we
considered knot as our new signer platform. Your point about knot
configuration files is excellent, which meant that it's very easy to use
ansible playbooks to configure knot. Unfortunately, the same cannot be
said of opendnssec, which has served us well for many years, but having
to run commands to interface with the kasp db is not easy to do well in
ansible.
.einar