18 Říj
2018
18 Říj
'18
12:33
Hi Libor,
Thanks a lot for your help.
On Wed, 17 Oct 2018 14:06:00 +0200
"libor.peltan" <libor.peltan(a)nic.cz> wrote:
by default, all changes to the zone, including DNSSEC
signing, are
immediately flushed into zonefile. Thus, if you simply set
dnssec-signing to off, Knot stops signing the zone, but the
signatures from before remain in the zone. You can then remove them
from the zonefile (using a text editor - delete lines with "DNSKEY",
"CDS", "CDSNKEY", "RRSIG" and "NSEC") and reload
the zone (stop-start
server or knotc zone-reload...).
Ah, the mistake was that changing the dnssec-policy *and* dnssec-signing
in one go does not insert the delete-CDS/CDNSKEY records since knot
immediately stops all dnssec related actions. Thanks!
If you already have a DS record in the parent zone,
it's needed to
tell them to remove it, *before* you turn off signing. The canonical
way to do it is publishing the delete-CDS/CDNSKEY record by turning
cds-cdnskey-publish to delete-dnssec, and wait until the parent zone
notices and reacts.
Am I right that, unlike the signing process (KSK submission attempts),
there is no built-in functionality in knot, that takes care about the
right time to remove the key material from the zone?
I was thinking about something in keymgr that allows me to specify an
upcoming retirement for a KSK.
So, basically I should wait
[propagation-delay] + [max TTL seen in zone/knot_soa_minimum]
seconds until I manually remove the material.
Does that sound reasonable?
Thanks!
--
Oliver PETER oliver(a)gfuzz.de 0x456D688F