Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users