5 Bře
2019
5 Bře
'19
11:49
Hello Thomas,
On 05.03.19 11:24, Thomas E. wrote:
Will the "knotc zone-ksk-submitted" command
still be necessary for the
initial DS lookup when signing a new zone? Or is the "ksk-submission"
statement sufficient in any case?
The use of "ksk-submission" is sufficient.
From the knot documentation:
"At this point
new KSK has to be submitted to the parent zone. Knot
detects the updated parent’s DS record automatically (and waits for
additional period of the DS’s TTL before retiring the old key) if parent
DS check is configured, otherwise the operator must confirm it manually
with knotc zone-ksk-submitted"
https://www.knot-dns.cz/docs/2.7/singlehtml/
I've never used "knotc zone-ksk-submitted". Maybe it's useful if you
have a broken trust chain to your zone and in some scenario you might
want to tell knot to go ahead...
Daniel