Hi Libor, Thanks a lot for your help.
On Wed, 17 Oct 2018 14:06:00 +0200 "libor.peltan" <libor.pel...@nic.cz> wrote: > by default, all changes to the zone, including DNSSEC signing, are > immediately flushed into zonefile. Thus, if you simply set > dnssec-signing to off, Knot stops signing the zone, but the > signatures from before remain in the zone. You can then remove them > from the zonefile (using a text editor - delete lines with "DNSKEY", > "CDS", "CDSNKEY", "RRSIG" and "NSEC") and reload the zone (stop-start > server or knotc zone-reload...). Ah, the mistake was that changing the dnssec-policy *and* dnssec-signing in one go does not insert the delete-CDS/CDNSKEY records since knot immediately stops all dnssec related actions. Thanks! > If you already have a DS record in the parent zone, it's needed to > tell them to remove it, *before* you turn off signing. The canonical > way to do it is publishing the delete-CDS/CDNSKEY record by turning > cds-cdnskey-publish to delete-dnssec, and wait until the parent zone > notices and reacts. Am I right that, unlike the signing process (KSK submission attempts), there is no built-in functionality in knot, that takes care about the right time to remove the key material from the zone? I was thinking about something in keymgr that allows me to specify an upcoming retirement for a KSK. So, basically I should wait [propagation-delay] + [max TTL seen in zone/knot_soa_minimum] seconds until I manually remove the material. Does that sound reasonable? Thanks! -- Oliver PETER oli...@gfuzz.de 0x456D688F -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users