14 Pro
2021
14 Pro
'21
9:11
Welcome Einar,
On 12/14/21 12:36 AM, Einar Bjarni Halldórsson wrote:
Hi,
We're preparing to migrate our zones from OpenDNSSEC 1.4 to Knot DNS 3.1 (and
eventually the .is zone).
We've already migrated one unsigned zone to the new signers, but next on the list is
first currently signed zone.
We're going to migrate the zone by doing a key rollover, so we'll add DNSKEY
records for the new keys to the zone on the old signer and vice versa. While we're
migrating the zone we have to stop
automatic key rollovers, and I planned to create a new policy 'dnssec_freeze'
with `manual: on` and apply it to zones during migration.
As Anand wrote already, you cannot simply modify the DNSKEY RRset in the zone. You have to
use `keymgr import-pub` instead and setting
some key timestamps via `keymgr set` if necessary.
Also you don't need to switch to the manual mode. Knot changes the keys only if there
is any reason for that (e.g. DNSSEC policy modification). If you need more time,
you can just extend the zsk-lifetime.
Am I correct that this will stop all automatic key rolloveres, but keep the signatures
updated?
Yes, that's exactly how the manual key management works.
The the migration is complete, DS records and delegations have been updated etc.,
I'll change the policy to an automatic policy. Will knot seamlessly start
automatically rolling over keys according to
the new policy?
Yes, Knot will continue managing the keys automatically.
Daniel
.einar