* Sebastian Wiesinger <sebast...@karotte.org> [2018-10-24 10:08]: > Hi, > > I'm currently testing a KSK algorithm rollover with my zone. I changed > the signature scheme from RSA to ECDSA. Knot started adding new RRSIGs > and new keys and now waits for the new DS to be published at the > parent zone. One thing strikes me as odd though: > > http://dnsviz.net/d/6v6.de/W9AmtA/dnssec/ > > Looking at the graph the new KSK (54879) is not signing anything right > now. Shouldn't it sign the DNSKEY records of the ZSKs so that the > chain stays intact when the DS record changed at the parent zone?
Hi, it seems this is only a display problem at dnsviz.net. After the new DS was added it looks right (except that DENIC did not delete the old DS at the same time): http://dnsviz.net/d/6v6.de/W9Ar5Q/dnssec/ Regards Sebastian -- GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users