Hello André, If the automatic signing is enabled, Knot should remove all unknown or expired RRSIGs automatically during re-signing. So it is very suspicious.
What the server prints to the log upon `knotc zone-sign ...`? Could you please send me the whole server log? Thanks, Daniel On 10/03/2017 08:52 AM, André Keller wrote: > Hi Ondřej, > > On 03.10.2017 04:54, Ondřej Surý wrote: >> André, how do you sign the zone? Is Knot DNS master or slave in your >> configuration? Generally, the DNS server is agnostic to the contents >> of the zone - whatever is there gets served. >> > Knot (2.5.4) is master and does the dnssec-signing. From the configuration: > > policy: > - id: default_ecdsa > algorithm: ecdsap256sha256 > > template: > - id: master_dnssec > dnssec-policy: default_ecdsa > dnssec-signing: on > serial-policy: unixtime > file: /var/lib/knot/zones/%s.zone > > > The zone file in /var/lib/knot/zones does not contain any DNSSEC related > information, this is all added by knot. If I do a: > > keymgr example.net list > > I do not have a key for the outdated signature anymore. I'm happy to > provide the domain name and full configuration off-list if that helps. > > > Regards > André > _______________________________________________ > knot-dns-users mailing list > knot-dns-users@lists.nic.cz > https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users _______________________________________________ knot-dns-users mailing list knot-dns-users@lists.nic.cz https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users