16 Pro
2021
16 Pro
'21
8:44
Hi Chris,
On 12/15/21 10:28 PM, Chris wrote:
On 2021-12-15 13:01, Anand Buddhdev wrote:
One zone cannot use more DNSSEC policies! I think you are confused by ongoing algorithm
rollover when there are both algorithms present in the zone (see
https://datatracker.ietf.org/doc/html/rfc6781#section-4.1.4).
On 15/12/2021 20:18, Chris wrote:
Hi Chris,
[snip config details]
Thanks for the
reply, Anand! :-)
I'm well aware of all the complexities, and am well confident in knots abilities
to DTRT. But "stuff" happens. fe; after creating the additional policy
some of the zones are _also_ adopting that new policy as _well_ as the original
policy. IOW there are some zones with both RSASHA1 _and_ RSASHA256 hashes in them.
How would I best make this change? Is it enough
to simply change algorithm:
and knot will just do the right thing?
Yes, please! Just change the algorithm and let Knot do its thing. It will do the
right thing. Please do *not* fiddle with things manually. DNSSEC is complex, and
algorithm roll-overs require care. The developers of Knot have put in a lot of
care into handling algorithm roll-overs. Trust their expertise.
config (diffs):
policy:
- id: rsa1
algorithm: RSASHA1
zsk-size: 1024
policy:
- id: rsa2
algorithm: RSASHA256
zsk-size: 2048
ALL zones but the test zone mentioned earlier:
- domain: domain.name
...
dnssec-signing: on
dnssec-policy: rsa1
So why do (some) zones arbitrarily pick up the added policy when it
it is not the policy declared within the domain block?
Isn't it possible that the policy is declared in a zone template?
Daniel
IOW dnssec-policy: rsa1 is the only dnssec-policy
listed within all the
domain blocks, and it's listed within all of the domain blocks, save
the earlier test domain. So "stuff" happened. :-/
Thanks again, for taking the time to respond, Anand.
-- Chris
>
> Regards,
> Anand