14 Pro
2021
14 Pro
'21
1:08
We're preparing to migrate our zones from
OpenDNSSEC 1.4 to Knot DNS
3.1 (and eventually the .is zone).
We've already migrated one unsigned zone to the new signers, but next
on the list is first currently signed zone.
We're going to migrate the zone by doing a key rollover, so we'll add
DNSKEY records for the new keys to the zone on the old signer and vice
versa. While we're migrating the zone we have to stop automatic key
rollovers, and I planned to create a new policy 'dnssec_freeze' with
`manual: on` and apply it to zones during migration.
I just realized that knot replaces the whole dnskey set in the zone with
the keys from the kasp, so my plan to add the dnskey records from the
old signer to the zone before signing is not valid.
I guess we'll have to move the old keys to the new signers.
.einar