Dear all, I use knot 2.7.1 with automatic DNSSEC signing and key management.
For some zones I have used "cds-cdnskey-publish: none". As .CH/.LI is about to support CDS/CDNSKEY (rfc8078, rfc7344) I thought I should enable to publish the CDS/CDNSKEY RR for all my zones. However, the zones which are already secure (trust anchor in parent zone) do not publish the CDS/CDNSKEY record when the setting is changes to "cds-cdnskey-publish: always". I have not been able to reproduce this error on new zones or new zones signed and secured with a trust anchor in the parent zone for which I then change the cds-cdnskey-publish setting from "none" to "always". This indicates that there seems to be some state error for my existing zones only. I tried but w/o success: knotc zone-sign <zone> knotc -f zone-purge +journal <zone> ; publish a inactive KSK keymgr <zone> generate ... ; knotc zone-sign <zone> Completely removing the zone (and all keys) and restarting fixes the problem obviously. However, I cannot do this for all my zones as I would have to remove the DS record in the parent zone prior to this... Any idea? Daniel -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users