Hi Libor,
Thanks a lot for your help.
On Wed, 17 Oct 2018 14:06:00 +0200
"libor.peltan" <libor.pel...@nic.cz> wrote:
> by default, all changes to the zone, including DNSSEC signing, are
> immediately flushed into zonefile. Thus, if you simply set
> dnssec-signing to off, Knot stops signing the zone, but the
> signatures from before remain in the zone. You can then remove them
> from the zonefile (using a text editor - delete lines with "DNSKEY",
> "CDS", "CDSNKEY", "RRSIG" and "NSEC") and reload the zone (stop-start
> server or knotc zone-reload...).
Ah, the mistake was that changing the dnssec-policy *and* dnssec-signing
in one go does not insert the delete-CDS/CDNSKEY records since knot
immediately stops all dnssec related actions. Thanks!
> If you already have a DS record in the parent zone, it's needed to
> tell them to remove it, *before* you turn off signing. The canonical
> way to do it is publishing the delete-CDS/CDNSKEY record by turning
> cds-cdnskey-publish to delete-dnssec, and wait until the parent zone
> notices and reacts.
Am I right that, unlike the signing process (KSK submission attempts),
there is no built-in functionality in knot, that takes care about the
right time to remove the key material from the zone?
I was thinking about something in keymgr that allows me to specify an
upcoming retirement for a KSK.
So, basically I should wait
[propagation-delay] + [max TTL seen in zone/knot_soa_minimum]
seconds until I manually remove the material.
Does that sound reasonable?
Thanks!
--
Oliver PETER oli...@gfuzz.de 0x456D688F
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
