Hi Ondřej, This topic has moved to https://gitlab.labs.nic.cz/knot/knot-dns/issues/605
Best, Daniel On 08/21/2018 04:31 PM, Ondřej Caletka wrote: > Hi Daniel, > > Dne 15.8.2018 v 20:26 Daniel Stirnimann napsal(a): >> Changing "ready=0" to some value e.g. now and resigning the zone fixes >> the problem and publishes the CDS/CDNSKEY record. >> >> Fix: >> keymgr <zone> set <key_spec> ready=1534356842 >> kzonec zone-sign <zone> > > Good point. You can also use some relative scale like ready=-1h > >> >> If I manually create a key it has ready set to 0, e.g.: >> keymgr <zone> generate algorithm=13 ksk=yes zsk=yes >> >> keymgr <zone> list >> 1ae97d2478865aad20148abcb0a02a59748dad6a ksk=yes zsk=yes tag=64141 >> algorithm=13 public-only=no created=1534357158 pre-active=0 >> publish=1534357158 ready=0 active=1534357158 retire-active=0 retire=0 >> post-active=0 remove=0 >> .... > > Hmm, my guess is that "ready" should be in this case automatically set > to the same value as "active", since "active" state comes after "ready". > >> >> I can't remember how the keys for my old zones have been created. In any >> case, I guess it should be sufficient to publish the "CDS/CDNSKEY" >> records if "publish" is set to some value in the past. Is this a bug? > > In the "publish" state, the key is not yet usable as there may be caches > caching old keysets. So publishing CDS/CDNSKEY in "ready" state is the > right thing to do. > > I think it is a bug not to set "ready" key tag to the same value as > "publish" and "active" tags during manual key generation, though. > > -- > Ondřej Caletka > CESNET > -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
