Re: [knot-dns-users] workflow for zone signing on master

Hello Chrysn, unfortunatelly, this is something we haven't figured out yet. Currently, the signed zone is flushed back to the zone file and this is the only place where the signed records are stored. We are considering storing of the automatically generated DNSSEC records in a separate file, however we have not settled on a specific solution yet. In Knot DNS 1.5, there are some improvements - the DNSSEC records are stored at the end of the zone file, which could improve the ability to store the zone file in a VCS. Another solution is to set 'zonefile-flush' option to a high value to prevent zone file flushing, tune 'ixfr-fslimit', and refrain from using 'knotc flush'. In that case, the automatically generated records will be stored in the journal only - with some drawbacks: The SOA serial is updated during the signing (according to the 'serial-policy' config option) and you will have to set the serial to a higher value when updating the zone file. Otherwise the served zone can get corrupt. Also the previous DNSSEC records will be dropped and recreated. As you suggested, it is also possible to copy the updated zone from VCS into a directory writable by Knot and issue 'knotc reload'. This handling cannot be automated by Knot DNS, but a script to perform this operation is simple to write. But keep in mind, that this solution will have a similar drawbacks as the solution with disabled zone file syncing. I hope this explanation will help you at least a little. I would recommend to try the 1.5 version and to store a signed zone in the VCS, or to go with the scripted solution you suggested. Please, let us know whether it works for you. Thanks & Regards, Jan On 8.7.2014 14:24, chrysn wrote: