Hi Oliver,
Ah, the mistake was that changing the dnssec-policy *and* dnssec-signing
in one go does not insert the delete-CDS/CDNSKEY records since knot
immediately stops all dnssec related actions. Thanks!
You at least want to have the special CDNSKEY record -signed- anyway ;)
Am I right that, unlike the signing process (KSK submission attempts),
there is no built-in functionality in knot, that takes care about the
right time to remove the key material from the zone?
Yes. We didn't care much for this usecase, sorry. I guess it's not so
difficult to achieve this manually. We need to have automated just those
processes, that start automatically (e.g. KSK rollover).
So, basically I should wait
[propagation-delay] + [max TTL seen in zone/knot_soa_minimum]
seconds until I manually remove the material.
No, you first need to check when your parent zone removed the DS record.
Afterwards wait for its TTL + propagation_delay.
BR,
Libor
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
