19 Srp
2021
19 Srp
'21
12:21
Hi MJ,
- enable dnssec for the zone / reverse zone in
knot.conf
- restart knot
- display the generated dnssec keys, using:
Correct. One thing left is that you
should tell Knot that the parent
already has the correct DS. This can be achieved in two ways:
1) by calling `knotc zone-ksk-submitted`
2) by configuring the submission section, you enable Knot to find out
itself.
https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#dnssec-key-rollovers
keymgr sub.company.com dnskey
keymgr sub.company.com ds
(plus the reverse)
- send the outputs of the above to the admins at company.com
- after they have entered the keys in their dns, the world can check &
verify our dnssec, and things are operational. Question one:
Is there some kind of notification mechanism in knot, that reminds us
(through email for example) that a ksk is about to expire, and keys
need to be renewed at company.com dns? I cannot find such a function.
Does it not exist? Or do we misunderstand something? It seems to be so
vital.
Again, you have several options:
1) read the Knot log file (it's not too cluttered usually)
2) use structured logging (see the end of already linked documentation
chapter; this is mostly useful for scripting)
3) not configure ksk-lifetime (set to zero = infinity) and either never
roll KSK at all, or trigger the roll manually as needed by calling
`knotc zone-key-rollover ksk`
Question two:
How unreasonable/insecure would it be to take a longer ksk lifetime
than one year, let's say 10 years. With the idea that we can always
manually renew keys earlier, in case we need to.
This is difficult to say. Unless
quantum-computing apocalypse arrives,
it seems quite safe to use single KSK for several years.
Feedback on the above is welcome. We have scheduled a maintenance
moment next week with the admins on company.com to send them the keys
and activate dnssec.
Thanks in advance for any feedback/pointers you can provide.
Best regards,
MJ
Wish you all the best,
Libor