Hi Tobias,

Please keep in mind these limitations
https://www.knot-dns.cz/docs/2.4/singlehtml/index.html#limitations

I would recommend you to stay with the old algorithm for next
two months until Knot 2.5.0 is released. This version will introduce
a better interface for DNSSEC administration, including KSK rollover!

Daniel

On 03/27/2017 02:56 PM, Tobias Brunner wrote:
Hi,

I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?

I already tried to set "retire" and "remove" on the old ZSK with keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.

Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.

Thanks in advance for explaining the process.

Cheers,
Tobias



_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users