27 Bře
2017
27 Bře
'17
15:52
Hey Tobias,
have you tried setting "retire" and "remove" to the exact same value?
Each record has to be signed by every algorithm in DNSKEY set. That's
the reason for the error you see. But you can have extra signatures
with algorithm that is not in the DNSKEY set. This is used in
algorithm rollover. You can do that manually with Knot. The process is
described in RFC 6781
(https://tools.ietf.org/html/rfc6781#section-4.1.4). In short: You
need to pre-publish new signatures, publish new DNSKEY, remove old
DNSKEY, remove old signatures. Pre-publishing signatures mean that the
key is active but not published in Knot terminology.
Jan
On Mon, Mar 27, 2017 at 2:56 PM, Tobias Brunner <tobias(a)tobru.ch> wrote:
Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with
keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users