Re: [knot-dns-users] KSK automated rollover: New KSK generation

Hello, I am using knot version 2.7 with automated keyrollover for DNSSEC. I am trying to understand the rollover process so that I can exactly predict when a rollover is in progress. So far I have understood this: KSK (1) [created and published] ---(progapagtion delay + DNSKEY TTL)--> KSK (1) [ready] ---(submitted in parent zone)--> ---((KSK-TTL) - (DNSKEY TTL + propagation delay + DS parent TTL + x))-> KSK (2) [created and published] KSK (2) [ready] ---(submitted in parent zone)--> KSK (1) [retire-active], KSK (2) [active] ---(propagation delay + DNSKEY TTL)-> KSK (1) [removed] My observartions during the rollover: Knot configuration: DNSKEY-TTL: 12h Propagation-delay: 2h Zone TTL default: 1h KSK-lifetime: 3d ZSK lifetime: 0 Parent configuration: DS-TTL on parent: 1h KSK (1) [created and published] ---(progapagtion delay + DNSKEY TTL)--> KSK (1) [ready] ---(submitted in parent zone)--> ---((3d) - (12h + 2h + 1h + x))-> KSK (2) [created and published] KSK (2) [ready] ---(submitted in parent zone)--> KSK (1) [retire-active], KSK (2) [active] ---(2h + 12h)-> KSK (1) [removed] The new key was created 19 hours before the KSK-lifetime ends. When I substract DNSKEY TTL, propagation delay and DS parent TTL its still 4 hours too early. Somebody knows why? References: https://www.knot-dns.cz/docs/2.7/html/reference.html https://tools.ietf.org/html/rfc6781.html#section-4.1.2 Thanks and Cheers, Sakirnth