> Any idea? I found a fix. I noticed a difference in the "keymgr" output for zones which publish CDS/CDNSKEY and for zones which don't.
Zones not showing the CDS/CDNSKEY have "ready=0" in the output of: keymgr <zone> list Changing "ready=0" to some value e.g. now and resigning the zone fixes the problem and publishes the CDS/CDNSKEY record. Fix: keymgr <zone> set <key_spec> ready=1534356842 kzonec zone-sign <zone> If I manually create a key it has ready set to 0, e.g.: keymgr <zone> generate algorithm=13 ksk=yes zsk=yes keymgr <zone> list 1ae97d2478865aad20148abcb0a02a59748dad6a ksk=yes zsk=yes tag=64141 algorithm=13 public-only=no created=1534357158 pre-active=0 publish=1534357158 ready=0 active=1534357158 retire-active=0 retire=0 post-active=0 remove=0 .... I can't remember how the keys for my old zones have been created. In any case, I guess it should be sufficient to publish the "CDS/CDNSKEY" records if "publish" is set to some value in the past. Is this a bug? Daniel -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
