On 19/08/2021 11:43, mj wrote: Hi MJ,
[snip] > Now the two questions. > > We have set in knot.conf: > > zsk-lifetime: 30d > ksk-lifetime: 365d > > We understand that with the above config, monthly zsk key rollovers > happen automatically "inside" knot, but the yearly rollover (ksk) needs > to be manually propagated by us to the parent dns. (through for example > secured email to the admins at company.com) Correct. When the KSK is rolled, you need to send the new DS records to the parent zone admins. > Question one: > Is there some kind of notification mechanism in knot, that reminds us > (through email for example) that a ksk is about to expire, and keys need > to be renewed at company.com dns? I cannot find such a function. Does it > not exist? Or do we misunderstand something? It seems to be so vital. KSKs do not "expire". When the time comes to roll the KSK, Knot will do that, and then log this. You can monitor the log file to see when this happens, and then submit the new DS record to the parent zone. Once the parent zone has the new DS record, and you have waited a reasonable amount of time for the DS record to propagate, you can inform Knot of the submission with "knotc zone-ksk-submitted <zone1> <zone2> ...". After this Knot will withdraw the old key and signatures. Alternatively, you can configure Knot with the name servers of the parent zone, or a validating resolver, and it will keep checking for the new DS record by itself. When it detects the new DS record, it will complete the roll-over by itself. Look at the config section called "submission". > Question two: > How unreasonable/insecure would it be to take a longer ksk lifetime than > one year, let's say 10 years. With the idea that we can always manually > renew keys earlier, in case we need to. There is no need to roll the KSK periodically. If you feel that your key is safe, and the cryptographic algorithm is strong enough, then you can set "ksk-lifetime" to 0, and Knot will never do a KSK roll-over by itself. Then, you can perform the KSK roll-over manually if/when you need to. Regards, Anand -- https://lists.nic.cz/mailman/listinfo/knot-dns-users
