Re: [knot-dns-users] KSK Rollover - Lab Policy For Testing

Hello Daniel, we tried the described approach, and it worked fine for zones, that we already executed "knotc zone-ksk-submitted xx.tld" for. For freshly added zones however the "knotc zone-status xx.tld" returns a status that indicates that the parent DS query has not been scheduled: [xx.tld.] role: master | serial: 1551549547 | transaction: none | freeze: no | load: not scheduled | refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal flush: not scheduled | notify: not scheduled | DNSSEC re-sign: +19h26m42s | NSEC3 resalt: +27D2h42m39s | parent DS query: not scheduled Also our logs do not show any attempts of parent DS queries for the affected zone, only for the zones that we previously executed "zone-ksk-submitted" for. Right now we add the zone using a default template (which does not make use of DNSSEC), because not all of our zones should be signed right away and switch the template to a signed template for specific zones, that we actually want to sign. Here's an excerpt from our current config: remote: - id: local-resolver address: 192.168.1.2 submission: - id: resolver parent: local-resolver policy: - id: shared algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 1d ksk-lifetime: 2d ksk-shared: true ksk-submission: resolver nsec3: true template: - id: default storage: "/var/lib/knot" semantic-checks: on global-module: mod-stats master: primary notify: secondaries acl: [primary, secondaries] - id: signed dnssec-signing: on dnssec-policy: shared acl: [primary, secondaries] notify: secondaries Maybe we get something fundamentally wrong, but from our experience there is no DS scheduling without an initial manual intervention via "knotc zone-ksk-submitted xx.tld". Any hint would be appreciated! Thank a lot, Thomas Am 05.03.19 um 11:49 schrieb Daniel Stirnimann: