Hi Tobias, >Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
In simple DNSSEC terms, the idea of a rollover, regardless if it was for ZSK, KSK or even an algorithm rollover, is that old settings appear in the same zone that will have new settings. This is to help validating resolvers to still use old (cached) RRSigs or DS records and respond to them, as well as caching new ones, until old ones expire. If you remove old RRSigs without giving time for resolvers to cache new details, then resolvers will fail to accept new zone details, even if they are being signed by the intended zone master signer. This is more properly explained in RFC7583 <https://tools.ietf.org/html/rfc7583>. Now, how long it takes for a 'rolled over' item to remain in your zone, this is what you should be able to define in your policy settings. I can't comment on how Knot does it because we don't use it do DNSSEC management, but it's a slave to our master signer so all our zones served by Knot are DNSSEC secured. HTH, Kareem. -- Abdulkareem H. Ali Network Operations Engineer CentralNic Group PLC London Stock Exchange Symbol: CNIC +44 20 3388 0600 www.CentralNic.com CentralNic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
_______________________________________________ knot-dns-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
