1 Pro
2025
1 Pro
'25
15:13
On 1 Dec 2025, at 11:32, Libor Peltan
<libor.peltan(a)nic.cz> wrote:
1) Is it possible that the issue is not really triggered by algorithm rollover, but by
Knot DNS version upgrade? Have you upgraded Knot DNS recently?
I just ran `knotc zone-ksk-submitted` on three different servers, all with zones migrating
from RSASHA256 to ECDSAP256SHA256
and I’m not seeing the error (yet).
All three sets of servers are running Knot 3.5.2 on FreeBSD 14.3.
Either the error happens later, when the old keys are purged, or the error has been fixed
between 3.5.0 and 3.5.2.
I did upgrade a server to 3.5.2 and saw the error, but that was after rollover had
finished on the primary when it was
running 3.5.0.
I’m going to attempt to downgrade a server to 3.5.0 and perform an algorithm rollover and
sync. If the error
appears, we’ll know it’s in the rollover itself where some state is produced which causes
the error.
.einar